- Fluent Bit flaw allows attackers to manipulate log files and execute remote code
- CVE-2025-12972 allows overwriting of files on disk for potential system compromise
- CVE-2025-12970 exploits a stack buffer overflow to trigger remote code execution
A widely used open source log processing tool contains critical flaws that could allow attackers to compromise cloud infrastructure, experts have warned.
Research by Oligo claims the vulnerabilities in Fluent Bit allow manipulation of log files, bypassing authentication and remote code execution on systems across major cloud providers, including AWS, Google Cloud and Microsoft Azure.
Deployed in billions of containers, Fluent Bit is widely used by industries such as banking, artificial intelligence, and manufacturing, making it an interesting target.
Specific errors and risks
Exploitation of these vulnerabilities could disrupt cloud storage services, alter data, and threaten business operations that depend on consistent cloud access.
The Oligo Security research team identified five vulnerabilities and, in cooperation with the project’s maintainers, published details of the flaws.
The disclosed vulnerabilities include path traversal through unsanitized tag values, stack buffer overflows, tag-matching bypasses, and authentication errors.
CVE-2025-12972 allows attackers to overwrite arbitrary files on disk, while CVE-2025-12970 can trigger remote code execution through container naming.
CVE-2025-12978 and CVE-2025-12977 allow log redirection, injection of malicious entries, and manipulation of audit records.
CVE-2025-12969 disables authentication on some forwarders and allows attackers to inject false telemetry or flood detection systems.
“We can see based on the code history that the tag handling flaw behind CVE-2025-12977 has been present for at least four years, and the Docker input buffer overflow (CVE-2025-12970) dates back about 6 years,” Oligo Security researcher Uri Katz said.
These vulnerabilities can hinder malware removal efforts in cloud hosting environments and allow attackers to hide traces of unauthorized activity.
AWS has acknowledged the vulnerabilities and issued Fluent Bit version 4.1.1 to secure internal systems.
Customers are advised to upgrade workloads to this latest version and use Amazon Inspector, Security Hub, and Systems Manager to detect anomalies.
Companies should verify logging configurations and maintain continuous monitoring.
Firewall protection and antivirus measures are recommended along with these updates to limit exposure.
That said, widespread deployment of Fluent Bit means that some residual risk may remain, even after patching, and these vulnerabilities are easy to exploit.
“There are multiple vulnerabilities here with varying levels of complexity,” Katz noted. “Some can be triggered with only a basic understanding of Fluent Bit’s behavior … while others … require more knowledge of memory corruption. Overall, the technical limit to exploiting these is relatively low.”
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
