Years-old bugs in open source tool left every major cloud open to disruption

Steven

Years-old bugs in open source tool left every major cloud open to disruption

Summary

Security researchers at Oligo disclosed five “trivial-to-exploit” vulnerabilities in Fluent Bit, the lightweight open source log/telemetry agent used across major cloud providers and AI labs. The flaws include authentication bypass, path traversal, tag-manipulation, a Docker input stack-buffer overflow, and other input-validation issues. Several bugs date back years; one path-traversal flaw existed for more than eight years. Fluent Bit maintainers released patched versions (v4.1.1 / 4.0.12) to address the problems.

The bugs could be chained to overwrite files, achieve remote code execution, crash agents, tamper with or exfiltrate logs, and — when Fluent Bit runs as a Kubernetes DaemonSet — lead to full node or cluster compromise. Oligo coordinated disclosure with Fluent Bit maintainers and AWS, and researchers advise immediate updates plus container hardening and fixed tag/path configurations.

Key Points

  • Oligo Security discovered five CVEs in Fluent Bit that are easy to exploit and affect widely deployed telemetry agents.
  • Fluent Bit has over 15 billion deployments and is used by major providers including Google, Amazon, Microsoft, IBM, Oracle and by AI labs like OpenAI.
  • CVE-2025-12977: partial string comparison in tag_key lets attackers control tags and hijack routing.
  • CVE-2025-12978: improper input validation on tag_key can enable path traversal, injection, or unexpected file writes.
  • CVE-2025-12972: file output plugin path traversal allows attackers to change file paths/names and potentially escalate to RCE when combined with writable content.
  • CVE-2025-12970: stack buffer overflow in the in_docker plugin from unbounded container name copying — can crash agents or enable code execution.
  • CVE-2025-12969: authentication bypass in the in_forward plugin when security.users is set, permitting unauthenticated access to forwarded logs.
  • Fixed releases are available (v4.1.1 / 4.0.12); operators should update immediately and harden deployments (static tags, fixed paths, read-only config, restrict network-exposed plugins).

Context and relevance

Fluent Bit is a core piece of cloud and cluster observability — its ubiquity makes these bugs a supply-chain and infrastructure risk. Because the agent often runs on every node (DaemonSet in Kubernetes), a single compromised agent could cascade into wide-scale disruption, tamper with forensic logs, and hide attacker activity. The disclosure also highlights persistent gaps in how CVEs are requested and assigned for critical open-source infrastructure, and the need for stronger collaboration between maintainers, cloud providers and researchers.

Author

Punchy: this isn’t a niche bug-hunt — it’s a major infrastructure wake-up call. If you manage cloud, Kubernetes or observability stacks, the details matter: attackers could use these simple issues to cause widespread disruption or stealthy long-term compromise.

Why should I read this?

Honestly — if you run Fluent Bit or manage clusters, read it now. We’ve skimmed the tech so you don’t have to: update the agent, lock down tags and file outputs, and check any network-exposed inputs. If you don’t, someone else might make your logs lie to you.

Source

Source: https://go.theregister.com/feed/www.theregister.com/2025/11/24/fluent_bit_cves/