CVE-2025-12972: Fluent Bit Path Traversal Vulnerability

CVE-2025-12972 Overview

CVE-2025-12972 is a path traversal vulnerability in the Fluent Bit out_file output plugin. When the File configuration option is omitted, the plugin uses untrusted tag input to construct file paths without proper sanitization. This allows attackers with network access to craft malicious tags containing path traversal sequences (such as ../) that cause Fluent Bit to write files outside the intended output directory.

Fluent Bit is a widely deployed open-source log processor and forwarder, commonly used in cloud-native environments and Kubernetes clusters for log aggregation. This vulnerability affects organizations relying on Fluent Bit for centralized logging infrastructure.

Critical Impact
Attackers with network access can write arbitrary files outside the intended output directory, potentially overwriting configuration files, injecting malicious scripts, or disrupting logging operations.

Affected Products

Treasuredata Fluent Bit 4.1.0
Treasuredata Fluent Bit (versions prior to security patch)

Discovery Timeline

2025-11-24 - CVE-2025-12972 published to NVD
2025-11-28 - Last updated in NVD database

Technical Details for CVE-2025-12972

Vulnerability Analysis

This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal. The out_file plugin in Fluent Bit is designed to write log data to files on disk. When administrators configure this plugin without explicitly specifying the File option, the plugin derives the output filename from the log record's tag value.

The core issue lies in the plugin's failure to sanitize tag values before using them in file path construction. Since tags can be influenced by external sources in certain deployment configurations, an attacker with network access to the Fluent Bit input endpoints can submit log records with specially crafted tags containing directory traversal sequences.

Root Cause

The root cause is insufficient input validation in the out_file plugin's filename derivation logic. When the File configuration parameter is not set, the plugin directly incorporates the tag value into the output file path without stripping or rejecting path traversal characters such as .., /, or \. This violates the principle of least privilege by allowing untrusted input to influence file system operations beyond the designated output directory.

Attack Vector

The attack vector is network-based, requiring the attacker to have access to Fluent Bit's input endpoints. An attacker would craft log records with tags containing path traversal sequences such as ../../etc/cron.d/malicious or similar payloads. When the out_file plugin processes these records, it constructs a file path that escapes the configured output directory, writing data to arbitrary locations on the file system where the Fluent Bit process has write permissions.

The attack does not require authentication, making it exploitable in environments where Fluent Bit input endpoints are exposed to untrusted networks. The impact is limited to file writes (integrity impact), without direct confidentiality or availability consequences according to the vulnerability assessment.

For detailed technical analysis, see the Oligo Security Critical Vulnerabilities Analysis and the Fluent Bit Security Vulnerabilities Blog.

Detection Methods for CVE-2025-12972

Indicators of Compromise

Unexpected files appearing outside the configured Fluent Bit output directory
Log records or tags containing path traversal sequences (../, ..\\, or URL-encoded variants)
Fluent Bit writing to system directories such as /etc/, /var/spool/, or other sensitive locations
File system integrity monitoring alerts for unauthorized file modifications

Detection Strategies

Monitor Fluent Bit logs for tags containing suspicious patterns like .. or absolute paths
Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized writes
Review Fluent Bit configuration to identify out_file plugins missing the explicit File parameter
Deploy network monitoring to inspect traffic to Fluent Bit input endpoints for malicious payloads

Monitoring Recommendations

Enable audit logging for file system operations performed by the Fluent Bit process
Configure SentinelOne to monitor for anomalous file creation patterns by logging infrastructure processes
Implement alerting for Fluent Bit writing files to directories outside the expected output paths
Regularly audit input sources and tag generation logic to ensure tags originate from trusted sources

How to Mitigate CVE-2025-12972

Immediate Actions Required

Review all Fluent Bit configurations and ensure the File option is explicitly set for all out_file plugin instances
Restrict network access to Fluent Bit input endpoints using firewalls or network policies
Update Fluent Bit to the latest patched version that addresses this vulnerability
Implement input validation at the network boundary to reject tags containing path traversal sequences

Patch Information

Fluent Bit has addressed this vulnerability in version 4.1 and backported fixes to version 4.0. Organizations should upgrade to the latest patched version as soon as possible. Refer to the Fluent Bit Security Vulnerabilities Blog for specific version information and upgrade guidance.

Workarounds

Always explicitly configure the File option in out_file plugin configurations to prevent tag-based filename derivation
Run Fluent Bit with minimal file system permissions, restricting write access to only the intended output directories
Deploy Fluent Bit in a containerized environment with read-only root filesystem and explicit volume mounts for output directories
Implement a reverse proxy or input filter to sanitize incoming log records before they reach Fluent Bit

bash

# Example: Secure out_file configuration with explicit File option
# /etc/fluent-bit/fluent-bit.conf

[OUTPUT]
    Name        file
    Match       *
    Path        /var/log/fluent-bit/
    File        application.log