CVE-2025-12977
📋 TL;DR
This vulnerability in Fluent Bit's input plugins allows attackers to inject malicious tag_key values containing special characters. When exploited, this can lead to newline injection, path traversal, forged record injection, or log misrouting, compromising data integrity and log routing. Organizations using Fluent Bit with in_http, in_splunk, or in_elasticsearch plugins are affected.
💻 Affected Systems
- Fluent Bit
📦 What is this software?
Fluent Bit by Treasuredata
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution, complete log system compromise, data exfiltration, or denial of service through log manipulation.
Likely Case
Log misrouting, data integrity issues, and potential path traversal leading to unauthorized file access.
If Mitigated
Limited impact with proper network segmentation and input validation controls.
🎯 Exploit Status
Exploitation requires network access to input plugins or ability to write to Splunk/Elasticsearch.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.1.0 or 4.0.13
Vendor Advisory: https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/
Restart Required: Yes
Instructions:
1. Backup current configuration. 2. Update Fluent Bit to version 4.1.0 or 4.0.13. 3. Restart Fluent Bit service. 4. Verify functionality.
🔧 Temporary Workarounds
Network Access Restriction
linuxRestrict network access to affected input plugins using firewall rules.
iptables -A INPUT -p tcp --dport <plugin_port> -s <trusted_ips> -j ACCEPT
iptables -A INPUT -p tcp --dport <plugin_port> -j DROP
Input Validation Filter
allAdd Lua filter to sanitize tag_key inputs before processing.
[FILTER]
Name lua
Match *
script sanitize_tags.lua
call sanitize_tags
🧯 If You Can't Patch
- Disable in_http, in_splunk, and in_elasticsearch plugins if not essential.
- Implement strict network segmentation and monitor for suspicious tag_key patterns.
🔍 How to Verify
Check if Vulnerable:
Check Fluent Bit version and enabled plugins: fluent-bit --version && grep -E 'in_http|in_splunk|in_elasticsearch' /etc/fluent-bit/fluent-bit.confCheck Version:
fluent-bit --versionVerify Fix Applied:
Verify version is 4.1.0+ or 4.0.13+: fluent-bit --version | grep -E '4\.1\.|4\.0\.13'📡 Detection & Monitoring
Log Indicators:
- Unusual tag_key values containing ../, newlines, or special characters
- Unexpected log routing or file creation
Network Indicators:
- Unusual traffic to Fluent Bit input plugin ports
- Requests with malformed tag_key parameters
SIEM Query:
source="fluent-bit" AND (tag_key="*../*" OR tag_key="*\n*")