CVE-2025-12972
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-24

Last updated on: 2025-11-28

Assigner: CERT/CC

Description
Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option is omitted, the plugin uses untrusted tag input to construct file paths. This allows attackers with network access to craft tags containing path traversal sequences that cause Fluent Bit to write files outside the intended output directory.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-24
Last Modified
2025-11-28
Generated
2026-06-16
AI Q&A
2025-11-24
EPSS Evaluated
2026-06-14
NVD
CVE-2025-12972
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
treasuredata fluent_bit 4.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in Fluent Bit's out_file plugin occurs because it does not properly sanitize tag values when creating output file names. If the File option is not set, the plugin uses tag input, which can be controlled by an attacker, to build file paths. This allows attackers with network access to include path traversal sequences in tags, causing Fluent Bit to write files outside the intended output directory.

Impact Analysis

This vulnerability can allow an attacker with network access to write files outside the intended directory on the system running Fluent Bit. This could lead to unauthorized file creation or modification, potentially overwriting critical files or placing malicious files in sensitive locations, which may compromise system integrity or security.

Detection Guidance

To detect this vulnerability, monitor Fluent Bit logs and configuration for unusual file creation or unexpected file paths outside the intended output directory. You can search for files created by Fluent Bit with suspicious path traversal patterns. For example, on Linux systems, use commands like: 1) Find files modified recently by Fluent Bit user or process: `find /path/to/output/directory -type f -mtime -1` 2) Check Fluent Bit logs for errors or warnings related to file output: `grep -i 'out_file' /var/log/fluent-bit.log` 3) Use network monitoring tools to detect suspicious tags or payloads sent to Fluent Bit. Since the vulnerability involves crafted tags causing path traversal, inspecting incoming tags for sequences like '../' can help. However, no specific detection commands are provided in the resources. [1]

Mitigation Strategies

Immediate mitigation steps include upgrading Fluent Bit to version 4.1.0 or later, where this vulnerability is addressed. Additionally, configure the out_file plugin to explicitly set the File option to avoid using untrusted tag input for file paths. Restrict network access to Fluent Bit to trusted sources only, and monitor logs for suspicious activity. Applying strict input validation and sanitization on tags before they reach Fluent Bit can also reduce risk. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12972. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart