- Soft bit errors allow attackers to manipulate protocols and execute code remotely
- CVE-2025-12972 can overwrite files on the hard drive, which could compromise the system
- CVE-2025-12970 exploits a stack buffer overflow to trigger remote code execution
Experts warn that a widely used open-source log processing tool has critical flaws that could allow attackers to compromise cloud infrastructure.
Look up oligo claims Fluent Bit vulnerabilities enable protocol manipulation, authentication bypass, and remote code execution on systems from major cloud providers, including AWS, google Cloud, and Microsoft Azure.
Distributed in billions of containers, Fluent Bit is widely used in industries such as banking, artificial intelligence and manufacturing, making it an attractive target.
Specific defects and risks
Exploiting these vulnerabilities can disrupt cloud storage services, corrupt data, and compromise business operations that depend on constant access to the cloud.
Oligo security’s research team identified five vulnerabilities and published details of the flaws together with project managers.
The vulnerabilities disclosed include path crossing through unclean tag values, stack buffer overflow, tag match bypass, and authentication failure.
CVE-2025-12972 allows attackers to overwrite arbitrary files on disk, while CVE-2025-12970 allows remote code execution by naming containers.
CVE-2025-12978 and CVE-2025-12977 allow log redirection, injection of misleading data, and manipulation of audit logs.
CVE-2025-12969 disables authentication for some redirects and allows attackers to inject false telemetry or flood detection.
“From the code history, we can see that the tag management flaw behind CVE-2025-12977 has been around for at least four years and that the Docker input buffer overflow (CVE-2025-12970) is about six years old,” said Uri Katz, researcher at Oligo Security.
These vulnerabilities can prevent malware removal in cloud hosting environments and allow attackers to hide traces of unauthorized activity.
AWS identified the vulnerabilities and released Fluent Bit version 4.1.1 to protect internal systems.
Customers are encouraged to upgrade their workloads to the latest version and use Amazon Inspector, Security Hub, and Systems Manager to detect anomalies.
Organizations should review logging configurations and maintain ongoing monitoring.
In addition to these updates, antivirus and firewall protection measures are recommended to limit exposure.
However, the widespread use of Fluent Bit means that residual risks may still exist even after patches are applied, and these vulnerabilities are easy to exploit.
“There are multiple vulnerabilities here with varying degrees of complexity,” Katz said. “Some can be enabled with a basic understanding of Fluent Bit behavior… while others… require more familiarity with memory corruption. In general, the technical barrier to exploiting them is relatively low.”