Medium
CVE-2025-12978
Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching. This allows crafted inputs where a ta…
Tag: Fluent Bit
All CVEs associated with "Fluent Bit". Page 1/1 • 18 CVEs.
About “Fluent Bit”
A curated feed of “Fluent Bit”-related CVEs appears below. We currently track 18 CVEs for this tag (all time). In the last 365 days, 5 were published. Average CVSS is 7.4 (all time; 7.0 over 365d), and 72% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-1287 - Improper Validation of Specified Type of Input, CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow').
In our taxonomy this topic maps to a LOW impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.
Support & lifecycle: fluent-bit
This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.
| Cycle | Release | Latest | EOL | LTS |
|---|---|---|---|---|
| 5.0 | 5.0.6 | - | ||
| 4.2 | 4.2.4 | Soon | ||
| 4.1 | 4.1.2 | Expired | ||
| 4.0 | 4.0.14 | Expired | ||
| 3.2 | 3.2.10 | Expired | ||
| 3.1 | 3.1.10 | Expired | ||
| 3.0 | 3.0.7 | Expired | ||
| 2.2 | 2.2.3 | Expired | ||
| 2.1 | 2.1.10 | Expired | ||
| 2.0 | 2.0.14 | Expired | ||
| 1.9 | 1.9.10 | Expired | ||
| 1.8 | 1.8.15 | Expired | ||
| 1.7 | 1.7.9 | - Expired | ||
| 1.6 | 1.6.10 | - Expired | ||
| 1.5 | 1.5.7 | - Expired | ||
| 1.4 | 1.4.6 | - Expired | ||
| 1.3 | 1.3.11 | - Expired | ||
| 1.2 | 1.2.2 | - Expired | ||
| 1.1 | 1.1.3 | - Expired | ||
| 1.0 | 1.0.6 | - Expired | ||
| 0.14 | 0.14.9 | - Expired | ||
| 0.13 | 0.13.8 | - Expired | ||
| 0.12 | 0.12.19 | - Expired | ||
| 0.11 | 0.11.17 | - Expired | ||
| 0.10 | 0.10.1 | - Expired |
Maintained Soon (≤ 180 days) Expired
Subscribe lifecycle: RSS · RSS (expired) · ICS
Subscribe CVEs: RSS for “Fluent Bit” · RSS (High+Critical only)
CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).
CVSS ≥ 0.0
2025-11-24
Critical
CVE-2025-12977
Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can sup…
Medium
CVE-2025-12972
Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option is omitted, the plugin uses untrusted tag input to construct file paths. This al…
High
CVE-2025-12970
The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed size stack buffer without validating length. An attacker who can create containers or control contai…
Medium
CVE-2025-12969
Fluent Bit in_forward input plugin does not properly enforce the security.users authentication mechanism under certain configuration conditions. This allows remote attackers with network access to th…
2025-04-07
Medium
CVE-2025-29478
An issue in fluent-bit v.3.7.2 allows a local attacker to cause a denial of service via the cfl_list_size in cfl_list.h:165.
2025-04-04
Medium
CVE-2025-29477
An issue in fluent-bit v.3.7.2 allows a local attacker to cause a denial of service via the function consume_event.
2025-02-18
High
CVE-2024-50609
An issue was discovered in Fluent Bit 3.1.9. When the OpenTelemetry input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the se…
High
CVE-2024-50608
An issue was discovered in Fluent Bit 3.1.9. When the Prometheus Remote Write input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it cras…
2024-05-20
Critical
CVE-2024-4323
A memory corruption vulnerability in Fluent Bit versions 2.0.7 thru 3.0.3. This issue lies in the embedded http server’s parsing of trace requests and may result in denial of service conditions, info…
2024-03-26
High
CVE-2024-23722
In Fluent Bit 2.1.8 through 2.2.1, a NULL pointer dereference can be caused via an invalid HTTP payload with the content type of x-www-form-urlencoded. It crashes and does not restart. This could res…
2024-02-26
High
CVE-2024-26455
fluent-bit 2.2.2 contains a Use-After-Free vulnerability in /fluent-bit/plugins/custom_calyptia/calyptia.c.
2023-04-11
High
CVE-2021-46879
An issue was discovered in Treasure Data Fluent Bit 1.7.1, a wrong variable is used to get the msgpack data resulting in a heap overflow in flb_msgpack_gelf_value_ext. An attacker can craft a malicio…
High
CVE-2021-46878
An issue was discovered in Treasure Data Fluent Bit 1.7.1, erroneous parsing in flb_pack_msgpack_to_json_format leads to type confusion bug that interprets whatever is on the stack as msgpack maps an…
2021-07-01
Critical
CVE-2021-36088
Fluent Bit (aka fluent-bit) 1.7.0 through 1.7.4 has a double free in flb_free (called from flb_parser_json_do and flb_parser_do).
2021-02-10
High
CVE-2021-27186
Fluent Bit 1.6.10 has a NULL pointer dereference when an flb_malloc return value is not validated by flb_avro.c or http_server/api/v1/metrics.c.
2021-01-03
High
CVE-2020-35963
flb_gzip_compress in flb_gzip.c in Fluent Bit before 1.6.4 has an out-of-bounds write because it does not use the correct calculation of the maximum gzip data-size expansion.
2019-03-13
High
CVE-2019-9749
An issue was discovered in the MQTT input plugin in Fluent Bit through 1.0.4. When this plugin acts as an MQTT broker (server), it mishandles incoming network messages. After processing a crafted pac…