Overview
A critical vulnerability, identified as CVE-2025-12972, has been discovered in the out_file plugin of Fluent Bit. This flaw allows attackers with network access to potentially write files to arbitrary locations on the system running Fluent Bit, leading to significant security risks. This is achieved by crafting specific tag values containing path traversal sequences, which are then used by Fluent Bit when the File option is omitted in the plugin configuration.
Technical Details
The vulnerability stems from insufficient sanitization of tag values within the out_file plugin when the File option is not explicitly defined in the configuration. In this scenario, the plugin dynamically constructs output file paths using these (potentially untrusted) tag values. By injecting path traversal sequences (e.g., ../) into the tag data, an attacker can manipulate the resulting file path to write files outside the intended output directory. For example, an attacker might craft a tag like ../../../tmp/evil.txt, causing Fluent Bit to write data to the /tmp/evil.txt file instead of the expected location.
Specifically, when the File option is absent from the configuration like below:
[OUTPUT]
Name file
Match *
# File omitted, leading to tag-based filename generation
# File my_log.txt # If file is set, it will be secured.
...
Attackers can craft malicious tags that will lead to path traversal.
CVSS Analysis
As of this writing, a CVSS score is not yet available for CVE-2025-12972. However, given the potential for arbitrary file write, the vulnerability is likely to be classified as Critical in severity. A successful exploit could allow an attacker to overwrite system files, execute arbitrary code, or otherwise compromise the integrity and confidentiality of the system.
This will be updated as more information is released.
Possible Impact
The impact of this vulnerability is significant. A successful exploit can lead to:
- Arbitrary File Write: Attackers can write files to any location accessible to the Fluent Bit process, potentially overwriting critical system files.
- Code Execution: By overwriting executable files or configuration files used by other services, attackers may achieve arbitrary code execution.
- Denial of Service: Attackers can overwrite log files or fill up disk space, leading to a denial of service.
- Data Exfiltration: In some scenarios, attackers might be able to exfiltrate sensitive data by writing it to a location they can access.
Mitigation or Patch Steps
The recommended mitigation is to upgrade to Fluent Bit version 4.1.0 or later. This version includes a patch that properly sanitizes tag values and prevents path traversal attacks. You can obtain the latest version from the official Fluent Bit website or your package manager.
If upgrading is not immediately feasible, a temporary workaround is to always explicitly define the File option in the out_file plugin configuration. This will ensure that Fluent Bit does not rely on potentially untrusted tag values to construct file paths.
Upgrade Fluent Bit
# Example (depending on your installation method)
apt update && apt upgrade fluent-bit
Apply Mitigation Steps (If Upgrade is not possible)
[OUTPUT]
Name file
Match *
File /path/to/my/log/file.txt # Explicitly define the File option
...
