Login Sign Up

CVE-2025-12978

5.4 MEDIUM

📋 TL;DR

Fluent Bit's in_http, in_splunk, and in_elasticsearch input plugins have a tag validation flaw where tag prefixes can be incorrectly matched as full tags. This allows authenticated attackers to manipulate log routing, potentially redirecting records to unintended destinations. Organizations using Fluent Bit with these plugins exposed to untrusted networks are affected.

💻 Affected Systems

Products:
  • Fluent Bit
Versions: Versions before 4.1.0
Operating Systems: All platforms running Fluent Bit
Default Config Vulnerable: ✅ No
Notes: Only vulnerable if in_http, in_splunk, or in_elasticsearch plugins are enabled and exposed to untrusted inputs.

📦 What is this software?

Fluent Bit by Treasuredata

View all CVEs affecting Fluent Bit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could redirect all logs to malicious endpoints, completely compromising log integrity, injecting forged data, and causing alert flooding that disrupts security monitoring.

🟠

Likely Case

Selective log manipulation where attackers redirect specific log types to bypass monitoring or inject misleading data into security systems.

🟢

If Mitigated

With proper network segmentation and authentication, impact is limited to authorized users who could still manipulate logs they have access to.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to the input endpoints or exposure to untrusted networks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.1.0

Vendor Advisory: https://fluentbit.io/announcements/v4.1.0/

Restart Required: Yes

Instructions:

1. Download Fluent Bit 4.1.0 or later from official sources. 2. Stop Fluent Bit service. 3. Replace binary with patched version. 4. Restart Fluent Bit service. 5. Verify version with 'fluent-bit --version'.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict network access to Fluent Bit input endpoints using firewall rules

iptables -A INPUT -p tcp --dport [FLUENTBIT_PORT] -s [TRUSTED_NETWORK] -j ACCEPT
iptables -A INPUT -p tcp --dport [FLUENTBIT_PORT] -j DROP

Authentication Enforcement

all

Ensure strong authentication is enabled on all input plugins

# Configure authentication in fluent-bit.conf
[INPUT]
    Name http
    Port 8888
    HTTP_User user
    HTTP_Passwd secure_password

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Fluent Bit endpoints from untrusted networks
  • Enable and audit authentication on all input plugins, using strong credentials and regular rotation

🔍 How to Verify

Check if Vulnerable:

Check Fluent Bit version with 'fluent-bit --version' and verify if below 4.1.0 with vulnerable plugins enabled

Check Version:

fluent-bit --version

Verify Fix Applied:

Confirm version is 4.1.0 or higher with 'fluent-bit --version' and test tag validation with crafted inputs

📡 Detection & Monitoring

Log Indicators:

  • Unexpected tag patterns in Fluent Bit logs
  • Logs appearing in unexpected output destinations
  • Authentication failures on input endpoints

Network Indicators:

  • Unusual traffic patterns to Fluent Bit input ports
  • Requests with crafted tag prefixes

SIEM Query:

source="fluent-bit" AND (tag="*prefix*" OR dest="unexpected_endpoint")

📊 Metadata

CVE ID: CVE-2025-12978
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
EPSS Score: 0.15% exploit probability (36th percentile)
Published: November 24, 2025
Last Updated: November 28, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON