CVE-2025-29478 – A local denial-of-service vulnerability in flue... (How to Fix)

📋 TL;DR

A local denial-of-service vulnerability in fluent-bit v3.7.2 allows attackers to crash the service by exploiting a flaw in the cfl_list_size function. This affects systems running the vulnerable version of fluent-bit where local users have access to the service. The vulnerability requires local access to the system.

💻 Affected Systems

Products:

fluent-bit

Versions: v3.7.2

Operating Systems: All platforms running fluent-bit

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects systems where local users have access to interact with fluent-bit service.

📦 What is this software?

Fluent Bit by Treasuredata

View all CVEs affecting Fluent Bit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of fluent-bit, causing log collection and forwarding to stop, potentially affecting monitoring and observability systems.

🟠

Likely Case

Local user causes fluent-bit to crash, requiring manual restart and causing temporary log collection gaps.

🟢

If Mitigated

Minimal impact with proper access controls and monitoring in place to detect and restart crashed services.

🌐 Internet-Facing: LOW - Requires local access to the system, not directly exploitable over network.

🏢 Internal Only: MEDIUM - Local users with access to the system could disrupt log collection services.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Proof of concept available in public repository, requires local access to system.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.7.3 or later

Vendor Advisory: https://github.com/fluent/fluent-bit/security/advisories

Restart Required: Yes

Instructions:

1. Check current version: fluent-bit --version
2. Download latest release from https://github.com/fluent/fluent-bit/releases
3. Stop fluent-bit service: systemctl stop fluent-bit
4. Install new version following platform-specific instructions
5. Start service: systemctl start fluent-bit

🔧 Temporary Workarounds

Restrict local access

linux

Limit which local users can interact with fluent-bit service

chmod 750 /usr/local/bin/fluent-bit
setfacl -m u:fluentbit:rx /usr/local/bin/fluent-bit

Implement service monitoring

linux

Set up automatic restart for crashed fluent-bit service

systemctl edit fluent-bit
Add: Restart=always
Add: RestartSec=5

🧯 If You Can't Patch

Implement strict access controls to limit which local users can interact with fluent-bit
Deploy monitoring to detect and automatically restart crashed fluent-bit instances

🔍 How to Verify

Check if Vulnerable:

Check fluent-bit version: fluent-bit --version | grep -q '3.7.2' && echo 'VULNERABLE' || echo 'SAFE'

Check Version:

fluent-bit --version

Verify Fix Applied:

Verify version is 3.7.3 or later: fluent-bit --version | grep -E '3.7.[3-9]|3.[8-9]'

📡 Detection & Monitoring

Log Indicators:

fluent-bit crash logs
segmentation fault errors in system logs
service restart messages

Network Indicators:

Sudden stop of log forwarding from affected host

SIEM Query:

source="fluent-bit" AND ("segmentation fault" OR "crash" OR "SIGSEGV")

📊 Metadata

CVE ID: CVE-2025-29478

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

EPSS Score: 0.07% exploit probability (21.6th percentile)

Published: April 7, 2025

Last Updated: December 8, 2025

🔗 References

https://github.com/lmarch2/poc/blob/main/fluent-bit/fluent-bit.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-29478, you might also want to check these: