Login Sign Up

CVE-2025-12972

5.3 MEDIUM
Path Traversal

📋 TL;DR

CVE-2025-12972 is a path traversal vulnerability in Fluent Bit's out_file plugin that allows attackers to write files outside the intended output directory by crafting malicious tag values. This affects Fluent Bit deployments where the File option is omitted and untrusted input can reach the logging pipeline. Organizations using Fluent Bit for log collection from untrusted sources are at risk.

💻 Affected Systems

Products:
  • Fluent Bit
Versions: Versions before 4.1.0 and 4.0.3
Operating Systems: Linux, Windows, macOS
Default Config Vulnerable: ✅ No
Notes: Only vulnerable when out_file plugin is used without explicit File parameter and receives untrusted tag input.

📦 What is this software?

Fluent Bit by Treasuredata

View all CVEs affecting Fluent Bit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could overwrite critical system files, install backdoors, or achieve remote code execution by writing malicious scripts to executable locations.

🟠

Likely Case

Attackers write arbitrary files to sensitive directories, potentially leading to data corruption, denial of service, or privilege escalation.

🟢

If Mitigated

With proper input validation and directory restrictions, impact is limited to file writes within controlled directories.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires network access to inject malicious tags into Fluent Bit's input pipeline.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.0 or 4.0.3

Vendor Advisory: https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/

Restart Required: Yes

Instructions:

1. Download Fluent Bit 4.1.0 or 4.0.3 from official sources. 2. Stop Fluent Bit service. 3. Replace binary with patched version. 4. Restart Fluent Bit service.

🔧 Temporary Workarounds

Explicit File Parameter

all

Always specify explicit File parameter in out_file configuration to avoid tag-based file naming.

[OUTPUT]
    Name out_file
    File /var/log/fluentbit/output.log

Input Validation Filter

all

Add Lua filter to sanitize tag values before reaching out_file plugin.

[FILTER]
    Name lua
    Match *
    script sanitize_tags.lua
    call sanitize_tags

🧯 If You Can't Patch

  • Restrict Fluent Bit to read-only filesystem mounts for output directories
  • Implement network segmentation to limit untrusted input sources

🔍 How to Verify

Check if Vulnerable:

Check Fluent Bit version with 'fluent-bit --version' and verify out_file configuration lacks explicit File parameter.

Check Version:

fluent-bit --version

Verify Fix Applied:

Confirm version is 4.1.0+ or 4.0.3+ and test with crafted tags containing '../' sequences.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file creation patterns in system logs
  • Fluent Bit errors related to file path resolution

Network Indicators:

  • Suspicious tag payloads containing path traversal sequences in network traffic

SIEM Query:

source="fluent-bit" AND (tag="*../*" OR message="*path traversal*")

📊 Metadata

CVE ID: CVE-2025-12972
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
CWE: CWE-22
EPSS Score: 0.1% exploit probability (27.1th percentile)
Published: November 24, 2025
Last Updated: November 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-12972, you might also want to check these:

CVE-2024-43955 10.0

CVE-2024-43955 is an unauthenticated path traversal vulnerability in the Droip WordPress plugin that...

Same vulnerability type (CWE-22)
CVE-2025-54261 10.0

This critical path traversal vulnerability in Adobe ColdFusion allows attackers to escape restricted...

Same vulnerability type (CWE-22)
CVE-2024-40628 10.0

This critical vulnerability in JumpServer allows attackers to read arbitrary files from the Celery c...

Same vulnerability type (CWE-22)