CVE-2025-12978

Medium CVSS: 5.4

Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching. This allows crafted inputs where a tag prefix is incorrectly treated as a full match. A remote attacker with authenticated or exposed access to these input endpoints can exploit this behavior to manipulate tags and redirect records to unintended destinations. This compromises the authenticity of ingested logs and can allow injection of forged data, alert flooding and routing manipulation.

Vendor

Treasuredata

Product

Fluent Bit

CWE

NVD-CWE-noinfo

Yayın Tarihi

2025-11-24 15:15:46

Güncelleme

2025-11-28 15:21:42

Source Identifier

cret@cert.org

KEV Date Added

Kategoriler

NVD-CWE-noinfo Fluent Bit MEDIUM Treasuredata 2025

Referanslar

https://fluentbit.io/announcements/v4.1.0/

Benzer Kayıtlar

Medium

CVE-2025-12969

Fluent Bit in_forward input plugin does not properly enforce the security.users authentication mechanism under certain c…

High

CVE-2025-12970

The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed size stack buffer wit…

Medium

CVE-2025-12972

Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option i…

Critical

CVE-2025-12977

Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. An attacker with netw…

Medium

CVE-2025-29478

An issue in fluent-bit v.3.7.2 allows a local attacker to cause a denial of service via the cfl_list_size in cfl_list.h:…

Medium

CVE-2025-29477

An issue in fluent-bit v.3.7.2 allows a local attacker to cause a denial of service via the function consume_event.