CVE-2025-12977

CVE-2025-12977 is a high-severity vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) affecting the Fluent Bit data collection and forwarding agent, specifically its in_http, in_splunk, and in_elasticsearch input plugins. These plugins fail to properly sanitize tag_key inputs, allowing attackers to inject special characters such as newlines or path traversal sequences like "../". Tags in Fluent Bit influence record routing and are used by some output plugins to derive filenames or contents, enabling impacts like newline injection, path traversal, forged record injection, or log misrouting, which compromise data integrity and routing (CWE-1287).

Attackers with network access to the affected Fluent Bit instance or the ability to write records into connected Splunk or Elasticsearch systems can exploit this remotely with low complexity and no privileges required. By supplying malicious tag_key values via HTTP, Splunk, or Elasticsearch inputs, they can manipulate tag processing to inject arbitrary newlines into logs, traverse paths in file-based outputs, forge records that appear to originate from other sources, or redirect logs to unintended destinations, potentially leading to widespread log corruption or exposure of sensitive data.

The official Fluent Bit advisory details that these vulnerabilities have been addressed in version 4.1, with backports available for version 4.0. Security practitioners should update to these patched releases and review configurations for exposed input plugins, particularly in cloud environments where Fluent Bit is commonly deployed for log aggregation. Additional analysis from Oligo Security highlights the risk of remote takeover in such setups.