CVE-2025-12970

Published Nov 24, 2025

Last updated 4 months ago

CVSS high 8.8
Fluent Bit

Overview

Description
The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed size stack buffer without validating length. An attacker who can create containers or control container names, can supply a long name that overflows the buffer, leading to process crash or arbitrary code execution.
Source
cret@cert.org
NVD status
Modified
Products
fluent_bit

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.8
Impact score
5.9
Exploitability score
2.8
Vector string
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

nvd@nist.gov
CWE-120

Social media

Hype score
Not currently trending

  1. 🔴 SECURITY UPDATE - 05/12/2025 Critical CVE-2025-12970 affects multiple Windows versions. Immediate action required to mitigate potential RCE risks. Source: https://t.co/mCayqb97V9

    @kernyx64

    5 Dec 2025

    38 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. CVE-2025-12970 CVE-2025-12970 https://t.co/h0oX5hfHvW #SecQube #MicrosoftSecurity

    @SecQube

    5 Dec 2025

    27 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. #Analytics #Threat_Research An analytical review of the main cybersecurity events for the week (November 22-29, 2025) 1⃣. Critical Vulnerabilities in FluentBit Expose Cloud Environments to Remote Takeover - https://t.co/zHrDgWp61B // CVE-2025-12972, CVE-2025-12970,

    @ksg93rd

    29 Nov 2025

    288 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. 🚨Alert🚨:Critical Fluent Bit Flaws Enable RCE and Telemetry Tampering in Major Orgs ------------------------ CVE-2025-12972: Path Traversal File Write CVE-2025-12970: Stack Buffer Overflow CVE-2025-12978: Tag Key Spoofing CVE-2025-12977: Tag Injection CVE-2025-12969: https:/

    @HunterMapping

    26 Nov 2025

    5845 Impressions

    15 Retweets

    82 Likes

    39 Bookmarks

    2 Replies

    0 Quotes

  5. 🚨 Critical Cloud Security Alert Five new Fluent Bit vulnerabilities (incl. CVE-2025-12972 & CVE-2025-12970) can enable RCE, file overwrite, log spoofing, DoS, and auth bypass across AWS, Azure, GCP & Kubernetes. 🔧 Fix: Update to 4.1.1 / 4.0.12 immediately.

    @JypraGroup

    26 Nov 2025

    58 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  6. CVE-2025-12970 Buffer Overflow in Fluent Bit Docker Input Plugin Enables Remote Code Execution https://t.co/Sis1mg8CWu

    @VulmonFeeds

    24 Nov 2025

    8 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  7. CVE-2025-12970 The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed size stack buffer without validating length. An attacker who can cr… https://t.co/Tb7oLy6Oq0

    @CVEnew

    24 Nov 2025

    44 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option is omitted, the plugin uses untrusted tag input to construct file paths. This allows attackers with network access to craft tags containing path traversal sequences that cause Fluent Bit to write files outside the intended output directory.CVE-2025-12972
  2. Fluent Bit in_forward input plugin does not properly enforce the security.users authentication mechanism under certain configuration conditions. This allows remote attackers with network access to the Fluent Bit instance exposing the forward input to send unauthenticated data. By bypassing authentication controls, attackers can inject forged log records, flood alerting systems, or manipulate routing decisions, compromising the authenticity and integrity of ingested logs.CVE-2025-12969
  3. Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply tag_key values containing special characters such as newlines or ../ that are treated as valid tags. Because tags influence routing and some outputs derive filenames or contents from tags, this can allow newline injection, path traversal, forged record injection, or log misrouting, impacting data integrity and log routing.CVE-2025-12977
  4. Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching. This allows crafted inputs where a tag prefix is incorrectly treated as a full match. A remote attacker with authenticated or exposed access to these input endpoints can exploit this behavior to manipulate tags and redirect records to unintended destinations. This compromises the authenticity of ingested logs and can allow injection of forged data, alert flooding and routing manipulation.CVE-2025-12978
  5. An issue in fluent-bit v.3.7.2 allows a local attacker to cause a denial of service via the cfl_list_size in cfl_list.h:165.CVE-2025-29478

References

Sources include official advisories and independent security research.