CVE-2025-12972 Overview
CVE-2025-12972 is a path traversal vulnerability in the Fluent Bit out_file output plugin. When the File configuration option is omitted, the plugin uses untrusted tag input to construct file paths without proper sanitization. This allows attackers with network access to craft malicious tags containing path traversal sequences (such as ../) that cause Fluent Bit to write files outside the intended output directory.
Fluent Bit is a widely deployed open-source log processor and forwarder, commonly used in cloud-native environments and Kubernetes clusters for log aggregation. This vulnerability affects organizations relying on Fluent Bit for centralized logging infrastructure.
Critical Impact
Attackers with network access can write arbitrary files outside the intended output directory, potentially overwriting configuration files, injecting malicious scripts, or disrupting logging operations.
Affected Products
- Treasuredata Fluent Bit 4.1.0
- Treasuredata Fluent Bit (versions prior to security patch)
Discovery Timeline
- 2025-11-24 - CVE-2025-12972 published to NVD
- 2025-11-28 - Last updated in NVD database
Technical Details for CVE-2025-12972
Vulnerability Analysis
This vulnerability is classified as CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly known as path traversal. The out_file plugin in Fluent Bit is designed to write log data to files on disk. When administrators configure this plugin without explicitly specifying the File option, the plugin derives the output filename from the log record's tag value.
The core issue lies in the plugin's failure to sanitize tag values before using them in file path construction. Since tags can be influenced by external sources in certain deployment configurations, an attacker with network access to the Fluent Bit input endpoints can submit log records with specially crafted tags containing directory traversal sequences.
Root Cause
The root cause is insufficient input validation in the out_file plugin's filename derivation logic. When the File configuration parameter is not set, the plugin directly incorporates the tag value into the output file path without stripping or rejecting path traversal characters such as .., /, or \. This violates the principle of least privilege by allowing untrusted input to influence file system operations beyond the designated output directory.
Attack Vector
The attack vector is network-based, requiring the attacker to have access to Fluent Bit's input endpoints. An attacker would craft log records with tags containing path traversal sequences such as ../../etc/cron.d/malicious or similar payloads. When the out_file plugin processes these records, it constructs a file path that escapes the configured output directory, writing data to arbitrary locations on the file system where the Fluent Bit process has write permissions.
The attack does not require authentication, making it exploitable in environments where Fluent Bit input endpoints are exposed to untrusted networks. The impact is limited to file writes (integrity impact), without direct confidentiality or availability consequences according to the vulnerability assessment.
For detailed technical analysis, see the Oligo Security Critical Vulnerabilities Analysis and the Fluent Bit Security Vulnerabilities Blog.
Detection Methods for CVE-2025-12972
Indicators of Compromise
- Unexpected files appearing outside the configured Fluent Bit output directory
- Log records or tags containing path traversal sequences (../, ..\\, or URL-encoded variants)
- Fluent Bit writing to system directories such as /etc/, /var/spool/, or other sensitive locations
- File system integrity monitoring alerts for unauthorized file modifications
Detection Strategies
- Monitor Fluent Bit logs for tags containing suspicious patterns like .. or absolute paths
- Implement file integrity monitoring (FIM) on critical system directories to detect unauthorized writes
- Review Fluent Bit configuration to identify out_file plugins missing the explicit File parameter
- Deploy network monitoring to inspect traffic to Fluent Bit input endpoints for malicious payloads
Monitoring Recommendations
- Enable audit logging for file system operations performed by the Fluent Bit process
- Configure SentinelOne to monitor for anomalous file creation patterns by logging infrastructure processes
- Implement alerting for Fluent Bit writing files to directories outside the expected output paths
- Regularly audit input sources and tag generation logic to ensure tags originate from trusted sources
How to Mitigate CVE-2025-12972
Immediate Actions Required
- Review all Fluent Bit configurations and ensure the File option is explicitly set for all out_file plugin instances
- Restrict network access to Fluent Bit input endpoints using firewalls or network policies
- Update Fluent Bit to the latest patched version that addresses this vulnerability
- Implement input validation at the network boundary to reject tags containing path traversal sequences
Patch Information
Fluent Bit has addressed this vulnerability in version 4.1 and backported fixes to version 4.0. Organizations should upgrade to the latest patched version as soon as possible. Refer to the Fluent Bit Security Vulnerabilities Blog for specific version information and upgrade guidance.
Workarounds
- Always explicitly configure the File option in out_file plugin configurations to prevent tag-based filename derivation
- Run Fluent Bit with minimal file system permissions, restricting write access to only the intended output directories
- Deploy Fluent Bit in a containerized environment with read-only root filesystem and explicit volume mounts for output directories
- Implement a reverse proxy or input filter to sanitize incoming log records before they reach Fluent Bit
# Example: Secure out_file configuration with explicit File option
# /etc/fluent-bit/fluent-bit.conf
[OUTPUT]
Name file
Match *
Path /var/log/fluent-bit/
File application.log
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
