- Fluent Bit flaws allow attackers to manipulate records and execute remote code
- CVE-2025-12972 allows files to be overwritten on disk for possible system compromise
- CVE-2025-12970 exploits a stack buffer overflow to trigger remote code execution
Experts have warned that a widely used open source log processing tool contains critical flaws that could allow attackers to compromise cloud infrastructure.
Oligo research claims that vulnerabilities in Fluent Bit allow registry manipulation, bypassing authentication, and remote code execution on systems from major cloud providers, including AWS, Google Cloud, and Microsoft Azure.
Fluent Bit is deployed on billions of containers and is widely used in industries such as banking, artificial intelligence, and manufacturing, making it an interesting target.
Specific defects and risks
Exploitation of these vulnerabilities could disrupt cloud storage services, disrupt data, and threaten business operations that depend on constant access to the cloud.
The Oligo Security research team identified five vulnerabilities and, in collaboration with the project maintainers, published details about the bugs.
The disclosed vulnerabilities include path traversal through unsanitized tag values, stack buffer overflows, tag matching bypasses, and authentication failures.
CVE-2025-12972 allows attackers to overwrite arbitrary files on disk, while CVE-2025-12970 can trigger remote code execution via container naming.
CVE-2025-12978 and CVE-2025-12977 allow log redirection, misleading input injection, and monitoring log manipulation.
CVE-2025-12969 disables authentication on some forwarders, allowing attackers to inject fake telemetry or flood detection systems.
“We can see from the code history that the tag handling flaw behind CVE-2025-12977 has been present for at least four years, and the Docker input buffer overflow (CVE-2025-12970) dates back about 6 years,” said Oligo Security researcher Uri Katz.
These vulnerabilities could hinder malware removal efforts in cloud hosting environments and allow attackers to hide traces of unauthorized activity.
AWS recognized the vulnerabilities and issued Fluent Bit version 4.1.1 to protect internal systems.
Customers are recommended to update workloads to this latest version and use Amazon Inspector, Security Hub, and Systems Manager to detect anomalies.
Companies should verify logging configurations and maintain continuous monitoring.
Antivirus and firewall protection measures are recommended along with these updates to limit exposure.
That said, the widespread deployment of Fluent Bit means that some residual risk may remain even after the patch is applied, and these vulnerabilities are easy to exploit.
“There are multiple vulnerabilities here with different levels of complexity,” Katz said. “Some can be enabled with just a basic understanding of Fluent Bit behavior… while others… require more familiarity with memory corruption. In general, the technical bar for exploiting them is relatively low.”
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
