CVE-2025-12970
📋 TL;DR
CVE-2025-12970 is a buffer overflow vulnerability in Fluent Bit's in_docker input plugin that allows attackers who can create or control container names to crash the Fluent Bit process or execute arbitrary code. This affects organizations using Fluent Bit to collect logs from Docker containers. The vulnerability is particularly dangerous in containerized environments where Fluent Bit runs with elevated privileges.
💻 Affected Systems
- Fluent Bit
📦 What is this software?
Fluent Bit by Treasuredata
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete compromise of the Fluent Bit process, potentially allowing attackers to execute arbitrary commands with the privileges of the Fluent Bit service, which often runs as root or with elevated permissions in container environments.
Likely Case
Process crash causing log collection disruption and potential denial of service, with possible information disclosure if memory contents are leaked during the overflow.
If Mitigated
Limited impact with proper network segmentation and container security controls that prevent attackers from creating malicious containers or controlling container names in the target environment.
🎯 Exploit Status
Exploitation requires the ability to create Docker containers or control container names. The buffer overflow is straightforward to trigger once an attacker has container creation privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.1.0 or 4.0.2
Vendor Advisory: https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/
Restart Required: Yes
Instructions:
1. Download Fluent Bit version 4.1.0 or 4.0.2 from the official website. 2. Stop the Fluent Bit service. 3. Replace the existing binary with the patched version. 4. Restart the Fluent Bit service. 5. Verify the version with 'fluent-bit --version'.
🔧 Temporary Workarounds
Disable Docker Input Plugin
linuxTemporarily disable the vulnerable in_docker plugin if immediate patching is not possible
Edit Fluent Bit configuration file and remove or comment out [INPUT] sections with 'Name docker'
Restart Fluent Bit: systemctl restart fluent-bit
Restrict Container Creation
linuxImplement Docker security controls to prevent unauthorized container creation
Configure Docker daemon with user namespace remapping
Implement Docker role-based access control (RBAC)
Use Docker Content Trust to verify container images
🧯 If You Can't Patch
- Implement network segmentation to isolate Fluent Bit instances from untrusted networks
- Apply strict Docker security policies and audit container creation permissions
🔍 How to Verify
Check if Vulnerable:
Check Fluent Bit version with 'fluent-bit --version' and verify if it's below 4.1.0 or 4.0.2, and check if Docker input plugin is enabled in configurationCheck Version:
fluent-bit --versionVerify Fix Applied:
Run 'fluent-bit --version' and confirm version is 4.1.0 or 4.0.2 or higher, then verify Docker logging functionality works without crashes📡 Detection & Monitoring
Log Indicators:
- Segmentation fault or crash logs from Fluent Bit process
- Unusual container creation events with long names
- Abnormal termination of Fluent Bit service
Network Indicators:
- Unusual Docker API calls to create containers
- Network traffic to Fluent Bit from unauthorized sources
SIEM Query:
source="fluent-bit" AND ("segmentation fault" OR "crash" OR "SIGSEGV") OR source="docker" AND event="create" AND container.name.length>100