- Fluent Bit flaws allow attackers to manipulate logs and execute code remotely
- CVE-2025-12972 allows files to be overwritten on disk in case of potential system compromise
- CVE-2025-12970 exploits a stack buffer overflow to trigger remote code execution
A widely used open source log processing tool contains critical flaws that could allow attackers to compromise cloud infrastructure, experts have warned.
Research from Oligo claims that Fluent Bit vulnerabilities allow log manipulation, authentication bypass, and remote code execution on systems from major cloud providers, including AWS, Google Cloud, and Microsoft Azure.
Fluent Bit is deployed in billions of containers and widely used by industries such as banking, AI, and manufacturing, making it an attractive target.
Specific defects and risks
Exploiting these vulnerabilities could disrupt cloud storage services, corrupt data, and threaten business operations that depend on consistent access to the cloud.
The Oligo Security research team identified five vulnerabilities and, together with the project maintainers, published details about the bugs.
Disclosed vulnerabilities include path traversal through unsanitized tag values, stack buffer overflows, tag matching bypasses, and authentication failures.
CVE-2025-12972 allows attackers to overwrite arbitrary files on disk, while CVE-2025-12970 can trigger remote code execution via container naming.
CVE-2025-12978 and CVE-2025-12977 allow log rerouting, misleading input injection, and tampering with monitoring records.
CVE-2025-12969 disables authentication on certain forwarders, allowing attackers to inject fake telemetry or flood detection systems.
“We can see, based on the code history, that the tag management flaw behind CVE-2025-12977 has been present for at least four years, and the Docker input buffer overflow (CVE-2025-12970) is about 6 years old,” said Uri Katz, security researcher at Oligo.
These vulnerabilities could hamper malware removal efforts in cloud hosting environments and allow attackers to hide traces of unauthorized activity.
AWS recognized the vulnerabilities and released Fluent Bit version 4.1.1 to secure internal systems.
Customers are advised to upgrade their workloads to this latest version and use Amazon Inspector, Security Hub, and Systems Manager to detect anomalies.
Businesses should verify logging configurations and maintain continuous monitoring.
Firewall protection and antivirus measures are recommended alongside these updates to limit exposure.
That said, the widespread deployment of Fluent Bit means that some residual risk may remain even after patches are applied, and these vulnerabilities are easy to exploit.
“There are multiple vulnerabilities here with varying levels of complexity,” Katz noted. “Some can be triggered with only a basic understanding of Fluent Bit behavior… while others… require greater familiarity with memory corruption. Overall, the technical bar for exploiting them is relatively low.”
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds. Make sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp Also.
