CVE-2025-12977

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-12977

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-12977.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-12977

Aliases

BIT-fluent-bit-2025-12977

Published

2025-11-24T15:15:46.770Z

Modified

2025-12-01T21:42:55.319032Z

Severity

9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator

Summary

[none]

Details

Fluent Bit inhttp, insplunk, and inelasticsearch input plugins fail to sanitize tagkey inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply tag_key values containing special characters such as newlines or ../ that are treated as valid tags. Because tags influence routing and some outputs derive filenames or contents from tags, this can allow newline injection, path traversal, forged record injection, or log misrouting, impacting data integrity and log routing.

References

Affected packages

Git / github.com/fluent/fluent-bit

Affected ranges

Type: GIT
Repo: https://github.com/fluent/fluent-bit
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

a8bd9e4cf636710dc7ce3af9d940bb4d91e660fc

Affected versions

0.*

0.13-dev-0.10

0.13-dev-0.11

0.13-dev-0.12

0.13-dev-0.13

0.13-dev-0.14

0.13-dev-0.15

0.13-dev-0.16

0.13-dev-0.17

0.13-dev-0.18

0.13-dev-0.4

0.13-dev-0.5

0.13-dev-0.6

0.13-dev-0.7

0.13-dev-0.8

0.13-dev-0.9

Other

ci-release-test

unstable

unstable-master

tiger-2.*

tiger-2.0.9-dev-20230104

v0.*

v0.10.0

v0.11.0

v0.12.0

v0.12.1

v0.12.2

v0.12.3

v0.12.4

v0.13.0

v0.14.0

v0.3

v0.4

v0.5

v0.5.1

v0.6.0

v0.7.0

v0.8.0

v0.8.1

v0.8.2

v0.9.0

v1.*

v1.0.0

v1.1.0

v1.2.0

v1.3.0

v1.4.0

v1.5.0

v1.6.0

v1.7.0

v1.7.0-rc1

v1.7.0-rc2

v1.7.0-rc3

v1.7.0-rc4

v1.7.0-rc5

v1.7.0-rc6

v1.7.0-rc7

v1.7.0-rc8

v1.7.0-rc9

v1.8.0

v1.8.0-rc1

v1.9.0

v1.9.0-ci-test-1

v1.9.0-rc1

v1.9.0-rc2

v1.9.0-rc3

v1.9.0-rc4

v1.9.1

v1.9.2

v1.9.3

v1.9.4

v1.9.5

v1.9.6

v2.*

v2.0.0

v2.0.0-rc1

v2.0.0-rc2

v2.0.0-rc3

v2.0.0pre

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.0.8

v2.0.9

v2.1.0

v2.1.0-rc1

v2.1.0-rc2

v2.1.1

v2.1.10

v2.1.2

v2.1.3

v2.1.4

v2.1.5

v2.1.5-windows-artifact-fix

v2.1.6

v2.1.7

v2.1.8

v2.1.9

v2.2.0

v2.2.1

v2.2.2

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.1.0

v3.1.1

v3.1.2

v3.1.3

v3.1.4

v3.1.5

v3.1.6

v3.1.7

v3.2.0

v3.2.1

v3.2.2

v3.2.3

v3.2.4

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.0.4

v4.1.0