Fluent Bit is an open-source log processor and forwarder. It is lightweight, highly performant, and secure, able to collect logs from multiple sources, process them, and send them to various destinations. Fluent Bit is part of the Fluentd ecosystem and is designed for high performance and low resource usage.

Fluent Bit

Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching. This allows crafted inputs where a tag prefix is incorrectly treated as a full match. A remote attacker with authenticated or exposed access to these input endpoints can exploit this behavior to manipulate tags and redirect records to unintended destinations. This compromises the authenticity of ingested logs and can allow injection of forged data, alert flooding and routing manipulation.

CVE ID	Severity	Score	Technologies	Component name	CISA KEV exploit	Has fix	Published date
CVE-2025-12977	CRITICAL	9.1	Fluent Bit	cpe:2.3:a:treasuredata:fluent_bit	No	Yes	Nov 24, 2025
CVE-2025-12970	HIGH	8.8	Fluent Bit	fluent-bit	No	Yes	Nov 24, 2025
CVE-2025-12969	MEDIUM	6.5	Fluent Bit	cpe:2.3:a:treasuredata:fluent_bit	No	Yes	Nov 24, 2025
CVE-2025-12978	MEDIUM	5.4	Fluent Bit	cpe:2.3:a:treasuredata:fluent_bit	No	Yes	Nov 24, 2025
CVE-2025-12972	MEDIUM	5.3	Fluent Bit	cpe:2.3:a:treasuredata:fluent_bit	No	Yes	Nov 24, 2025

CVE-2025-12978:
Fluent Bit vulnerability analysis and mitigation

5.4

Related Fluent Bit vulnerabilities:

Benchmark your Cloud Security Posture

Additional Wiz resources

Cloud Vulnerability DB

Cloud Threat Landscape

PEACH

Ready to see Wiz in action?

CVE-2025-12978: Fluent Bit vulnerability analysis and mitigation