CVE-2025-12972
BaseFortify
Publication date: 2025-11-24
Last updated on: 2025-11-28
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| treasuredata | fluent_bit | 4.1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in Fluent Bit's out_file plugin occurs because it does not properly sanitize tag values when creating output file names. If the File option is not set, the plugin uses tag input, which can be controlled by an attacker, to build file paths. This allows attackers with network access to include path traversal sequences in tags, causing Fluent Bit to write files outside the intended output directory.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with network access to write files outside the intended directory on the system running Fluent Bit. This could lead to unauthorized file creation or modification, potentially overwriting critical files or placing malicious files in sensitive locations, which may compromise system integrity or security.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, monitor Fluent Bit logs and configuration for unusual file creation or unexpected file paths outside the intended output directory. You can search for files created by Fluent Bit with suspicious path traversal patterns. For example, on Linux systems, use commands like: 1) Find files modified recently by Fluent Bit user or process: `find /path/to/output/directory -type f -mtime -1` 2) Check Fluent Bit logs for errors or warnings related to file output: `grep -i 'out_file' /var/log/fluent-bit.log` 3) Use network monitoring tools to detect suspicious tags or payloads sent to Fluent Bit. Since the vulnerability involves crafted tags causing path traversal, inspecting incoming tags for sequences like '../' can help. However, no specific detection commands are provided in the resources. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Fluent Bit to version 4.1.0 or later, where this vulnerability is addressed. Additionally, configure the out_file plugin to explicitly set the File option to avoid using untrusted tag input for file paths. Restrict network access to Fluent Bit to trusted sources only, and monitor logs for suspicious activity. Applying strict input validation and sanitization on tags before they reach Fluent Bit can also reduce risk. [1]