CVE-2025-12978

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-12978

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-12978.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-12978

Aliases

BIT-fluent-bit-2025-12978

Published

2025-11-24T15:15:46.873Z

Modified

2026-03-12T17:36:21.233192Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L CVSS Calculator

Summary

[none]

Details

Fluent Bit inhttp, insplunk, and inelasticsearch input plugins contain a flaw in the tagkey validation logic that fails to enforce exact key-length matching. This allows crafted inputs where a tag prefix is incorrectly treated as a full match. A remote attacker with authenticated or exposed access to these input endpoints can exploit this behavior to manipulate tags and redirect records to unintended destinations. This compromises the authenticity of ingested logs and can allow injection of forged data, alert flooding and routing manipulation.

References

https://fluentbit.io/announcements/v4.1.0/

Affected packages

Git / github.com/fluent/fluent-bit

Affected ranges

Type

GIT

Repo

https://github.com/fluent/fluent-bit

Events

Introduced

Last affected

a8bd9e4cf636710dc7ce3af9d940bb4d91e660fc

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.1.0"
        }
    ]
}

Affected versions

0.*

0.13-dev-0.10

0.13-dev-0.11

0.13-dev-0.12

0.13-dev-0.13

0.13-dev-0.14

0.13-dev-0.15

0.13-dev-0.16

0.13-dev-0.17

0.13-dev-0.18

0.13-dev-0.4

0.13-dev-0.5

0.13-dev-0.6

0.13-dev-0.7

0.13-dev-0.8

0.13-dev-0.9

Other

ci-release-test

unstable

unstable-master

tiger-2.*

tiger-2.0.9-dev-20230104

v0.*

v0.10.0

v0.11.0

v0.12.0

v0.12.1

v0.12.2

v0.12.3

v0.12.4

v0.13.0

v0.14.0

v0.3

v0.4

v0.5

v0.5.1

v0.6.0

v0.7.0

v0.8.0

v0.8.1

v0.8.2

v0.9.0

v1.*

v1.0.0

v1.1.0

v1.2.0

v1.3.0

v1.4.0

v1.5.0

v1.6.0

v1.7.0

v1.7.0-rc1

v1.7.0-rc2

v1.7.0-rc3

v1.7.0-rc4

v1.7.0-rc5

v1.7.0-rc6

v1.7.0-rc7

v1.7.0-rc8

v1.7.0-rc9

v1.8.0

v1.8.0-rc1

v1.9.0

v1.9.0-ci-test-1

v1.9.0-rc1

v1.9.0-rc2

v1.9.0-rc3

v1.9.0-rc4

v1.9.1

v1.9.2

v1.9.3

v1.9.4

v1.9.5

v1.9.6

v2.*

v2.0.0

v2.0.0-rc1

v2.0.0-rc2

v2.0.0-rc3

v2.0.0pre

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.0.7

v2.0.8

v2.0.9

v2.1.0

v2.1.0-rc1

v2.1.0-rc2

v2.1.1

v2.1.10

v2.1.2

v2.1.3

v2.1.4

v2.1.5

v2.1.5-windows-artifact-fix

v2.1.6

v2.1.7

v2.1.8

v2.1.9

v2.2.0

v2.2.1

v2.2.2

v3.*

v3.0.0

v3.0.1

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.1.0

v3.1.1

v3.1.2

v3.1.3

v3.1.4

v3.1.5

v3.1.6

v3.1.7

v3.2.0

v3.2.1

v3.2.2

v3.2.3

v3.2.4

v4.*

v4.0.0

v4.0.1

v4.0.2

v4.0.3

v4.0.4

v4.1.0

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-12978.json"