- Fluent Bit flaws allow attackers to manipulate logs and execute remote code
- CVE-2025-12972 permits overwriting files on disk for potential system compromise
- CVE-2025-12970 exploits a stack buffer overflow to trigger remote code execution
A widely used open source log processing tool contains critical flaws that could allow attackers to compromise cloud infrastructure, experts have warned.
Research from Oligo claims the vulnerabilities in Fluent Bit allow manipulation of logs, bypassing authentication, and the execution of remote code on systems across major cloud providers, including AWS, Google Cloud, and Microsoft Azure.
Fluent Bit is deployed in billions of containers and used extensively by industries such as banking, AI, and manufacturing, making it an interesting target.
Specific flaws and risks
Exploitation of these vulnerabilities could disrupt cloud storage services, alter data, and threaten enterprise operations that depend on consistent cloud access.
The Oligo Security research team identified five vulnerabilities and, working with the project’s maintainers, published details about the bugs.
The disclosed vulnerabilities include path traversal through unsanitized tag values, stack buffer overflows, tag-matching bypasses, and failures in authentication.
CVE-2025-12972 allows attackers to overwrite arbitrary files on disk, while CVE-2025-12970 can trigger remote code execution through container naming.
CVE-2025-12978 and CVE-2025-12977 permit log rerouting, injection of misleading entries, and tampering with monitoring records.
CVE-2025-12969 disables authentication on some forwarders, letting attackers inject false telemetry or flood detection systems.
"We can see based on code history, the tag-handling flaw behind CVE-2025-12977 has been present for at least four years, and the Docker input buffer overflow (CVE-2025-12970) goes back roughly 6 years," Oligo Security researcher Uri Katz said.
These vulnerabilities could hinder malware removal efforts in cloud hosting environments and allow attackers to conceal traces of unauthorized activity.
AWS has acknowledged the vulnerabilities and issued Fluent Bit version 4.1.1 to secure internal systems.
Customers are advised to upgrade workloads to this latest version and use Amazon Inspector, Security Hub, and Systems Manager to detect anomalies.
Enterprises should verify logging configurations and maintain continuous monitoring.
Firewall protection and antivirus measures are recommended alongside these updates to limit exposure.
That said, widespread deployment of Fluent Bit means some residual risk may remain even after patching, and these vulnerabilities are easy to exploit.
"There are multiple vulnerabilities here with different complexity levels," noted Katz. "Some can be triggered with only a basic understanding of Fluent Bit's behavior…while others…demand more familiarity with memory corruption. Overall, the technical bar to exploit these is relatively low."
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
You must confirm your public display name before commenting
Please logout and then login again, you will then be prompted to enter your display name.