CVE-2025-12977
Published: 24 November 2025
Summary
CVE-2025-12977 is a critical-severity Improper Validation of Specified Type of Input (CWE-1287) vulnerability in Treasuredata Fluent Bit. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires validation and sanitization of tag_key inputs in Fluent Bit plugins to block special characters enabling newline injection, path traversal, or forged records.
Mandates timely remediation by patching Fluent Bit to version 4.1 or 4.0 backports, fixing the input sanitization flaw as detailed in the official advisory.
Restricts Fluent Bit to least functionality by disabling unnecessary vulnerable input plugins (in_http, in_splunk, in_elasticsearch), reducing attack surface for network-exposed instances.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE enables unauthenticated remote exploitation of public-facing Fluent Bit input plugins (T1190) and facilitates stored data manipulation through log injection, path traversal, forgery, and misrouting compromising log integrity.
NVD Description
Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply tag_key values containing special characters such as newlines or ../…
more
that are treated as valid tags. Because tags influence routing and some outputs derive filenames or contents from tags, this can allow newline injection, path traversal, forged record injection, or log misrouting, impacting data integrity and log routing.
Deeper analysisAI
CVE-2025-12977 is a high-severity vulnerability (CVSS 9.1, CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) affecting the Fluent Bit data collection and forwarding agent, specifically its in_http, in_splunk, and in_elasticsearch input plugins. These plugins fail to properly sanitize tag_key inputs, allowing attackers to inject special characters such as newlines or path traversal sequences like "../". Tags in Fluent Bit influence record routing and are used by some output plugins to derive filenames or contents, enabling impacts like newline injection, path traversal, forged record injection, or log misrouting, which compromise data integrity and routing (CWE-1287).
Attackers with network access to the affected Fluent Bit instance or the ability to write records into connected Splunk or Elasticsearch systems can exploit this remotely with low complexity and no privileges required. By supplying malicious tag_key values via HTTP, Splunk, or Elasticsearch inputs, they can manipulate tag processing to inject arbitrary newlines into logs, traverse paths in file-based outputs, forge records that appear to originate from other sources, or redirect logs to unintended destinations, potentially leading to widespread log corruption or exposure of sensitive data.
The official Fluent Bit advisory details that these vulnerabilities have been addressed in version 4.1, with backports available for version 4.0. Security practitioners should update to these patched releases and review configurations for exposed input plugins, particularly in cloud environments where Fluent Bit is commonly deployed for log aggregation. Additional analysis from Oligo Security highlights the risk of remote takeover in such setups.
Details
- CWE(s)