Input Plugin Vulnerability in Fluent Bit Affects Data Integrity and Log Routing
CVE-2025-12977

9.1CRITICAL

Key Information:

Vendor: Fluentbit
Status: Fluentbit
Vendor: CVE Published:; 24 November 2025

What is CVE-2025-12977?

Fluent Bit's in_http, in_splunk, and in_elasticsearch input plugins are vulnerable due to inadequate sanitization of tag_key inputs. An attacker capable of network access or manipulating records in Splunk or Elasticsearch can introduce tag_key values with special characters, such as newlines or directory traversal sequences (../). This manipulation can lead to serious consequences, including newline injection, path traversal, and forged record injection. The improper handling of tags can ultimately compromise the integrity of data and misroute log outputs, highlighting a critical area of concern for organizations relying on Fluent Bit for log management.

Affected Version(s)

FluentBit 4.1.0

References

https://fluentbit.io/announcements/v4.1.0/

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 24, 2025
Vulnerability Reserved
Nov 10, 2025

JSON

Fluentbit

What is CVE-2025-12977?

Affected Version(s)

References

CVSS V3.1

Timeline