AZL-71080

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-71080.json

JSON Data

https://api.osv.dev/v1/vulns/AZL-71080

Upstream

CVE-2025-12977

Published

2025-11-24T15:15:46Z

Modified

2026-04-21T04:36:31.418991Z

Summary

CVE-2025-12977 affecting package fluent-bit for versions less than 3.0.6-6

Details

Fluent Bit inhttp, insplunk, and inelasticsearch input plugins fail to sanitize tagkey inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply tag_key values containing special characters such as newlines or ../ that are treated as valid tags. Because tags influence routing and some outputs derive filenames or contents from tags, this can allow newline injection, path traversal, forged record injection, or log misrouting, impacting data integrity and log routing.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-12977

Affected packages

Azure Linux:2 / fluent-bit

Package

Name: fluent-bit
Purl: pkg:rpm/azure-linux/fluent-bit

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.6-6

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-71080.json"