BIT-fluent-bit-2025-12972

See a problem?

Import Source

https://github.com/bitnami/vulndb/tree/main/data/fluent-bit/BIT-fluent-bit-2025-12972.json

JSON Data

https://api.osv.dev/v1/vulns/BIT-fluent-bit-2025-12972

Aliases

CVE-2025-12972

Published

2025-12-01T20:38:27.720Z

Modified

2025-12-01T21:42:55.249463Z

Summary

CVE-2025-12972

Details

Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option is omitted, the plugin uses untrusted tag input to construct file paths. This allows attackers with network access to craft tags containing path traversal sequences that cause Fluent Bit to write files outside the intended output directory.

Database specific

{
    "severity": "Medium",
    "cpes": [
        "cpe:2.3:a:treasuredata:fluent_bit:*:*:*:*:*:*:*:*"
    ]
}

References

Affected packages

Bitnami / fluent-bit

Package

Name: fluent-bit
Purl: pkg:bitnami/fluent-bit

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CVSS Calculator

Affected ranges

Type: SEMVER
Events: Introduced

4.1.0

Fixed

4.1.1

Database specific

source

"https://github.com/bitnami/vulndb/tree/main/data/fluent-bit/BIT-fluent-bit-2025-12972.json"