Bitnami package
fluent-bit
pkg:bitnami/fluent-bit
Vulnerabilities (17)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-12978 | — | >= 4.1.0, < 4.1.1 | 4.1.1 | Nov 24, 2025 | Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching. This allows crafted inputs where a tag prefix is incorrectly treated as a full match. A remote attacker with authentic | ||
| CVE-2025-12969 | — | >= 4.1.0, < 4.1.1 | 4.1.1 | Nov 24, 2025 | Fluent Bit in_forward input plugin does not properly enforce the security.users authentication mechanism under certain configuration conditions. This allows remote attackers with network access to the Fluent Bit instance exposing the forward input to send unauthenticated data. By | ||
| CVE-2025-12972 | — | >= 4.1.0, < 4.1.1 | 4.1.1 | Nov 24, 2025 | Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option is omitted, the plugin uses untrusted tag input to construct file paths. This allows attackers with network access to craft tags containing path traversal sequen | ||
| CVE-2025-12977 | — | >= 4.1.0, < 4.1.1 | 4.1.1 | Nov 24, 2025 | Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply tag_key values containing special characters such as newlines or ../ that are | ||
| CVE-2025-12970 | — | >= 4.1.0, < 4.1.1 | 4.1.1 | Nov 24, 2025 | The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed size stack buffer without validating length. An attacker who can create containers or control container names, can supply a long name that overflows the buffer, leading to process c | ||
| CVE-2025-29478 | — | >= 0 | — | Apr 7, 2025 | An issue in fluent-bit v.3.7.2 allows a local attacker to cause a denial of service via the cfl_list_size in cfl_list.h:165. | ||
| CVE-2025-29477 | — | >= 0 | — | Apr 4, 2025 | An issue in fluent-bit v.3.7.2 allows a local attacker to cause a denial of service via the function consume_event. | ||
| CVE-2024-50609 | — | >= 3.1.9, < 3.1.10 | 3.1.10 | Feb 18, 2025 | An issue was discovered in Fluent Bit 3.1.9. When the OpenTelemetry input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the server. Improper handling of the case when Content-Length is 0 allows a user (with | ||
| CVE-2024-50608 | — | >= 3.1.9, < 3.1.10 | 3.1.10 | Feb 18, 2025 | An issue was discovered in Fluent Bit 3.1.9. When the Prometheus Remote Write input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the server. Improper handling of the case when Content-Length is 0 allows a u | ||
| CVE-2024-4323 | — | >= 2.0.7, < 3.0.4 | 3.0.4 | May 20, 2024 | A memory corruption vulnerability in Fluent Bit versions 2.0.7 thru 3.0.3. This issue lies in the embedded http server’s parsing of trace requests and may result in denial of service conditions, information disclosure, or remote code execution. | ||
| CVE-2024-23722 | — | >= 2.1.8, < 2.2.2 | 2.2.2 | Mar 26, 2024 | In Fluent Bit 2.1.8 through 2.2.1, a NULL pointer dereference can be caused via an invalid HTTP payload with the content type of x-www-form-urlencoded. It crashes and does not restart. This could result in logs not being delivered properly. | ||
| CVE-2024-26455 | — | >= 2.2.2, < 2.2.3 | 2.2.3 | Feb 26, 2024 | fluent-bit 2.2.2 contains a Use-After-Free vulnerability in /fluent-bit/plugins/custom_calyptia/calyptia.c. | ||
| CVE-2021-46879 | — | >= 1.7.1, < 1.7.2 | 1.7.2 | Apr 11, 2023 | An issue was discovered in Treasure Data Fluent Bit 1.7.1, a wrong variable is used to get the msgpack data resulting in a heap overflow in flb_msgpack_gelf_value_ext. An attacker can craft a malicious file and tick the victim to open the file with the software, triggering a heap | ||
| CVE-2021-46878 | — | >= 1.7.1, < 1.7.2 | 1.7.2 | Apr 11, 2023 | An issue was discovered in Treasure Data Fluent Bit 1.7.1, erroneous parsing in flb_pack_msgpack_to_json_format leads to type confusion bug that interprets whatever is on the stack as msgpack maps and arrays, leading to use-after-free. This can be used by an attacker to craft a s | ||
| CVE-2021-36088 | — | >= 1.7.0, < 1.7.5 | 1.7.5 | Jul 1, 2021 | Fluent Bit (aka fluent-bit) 1.7.0 through 1.7.4 has a double free in flb_free (called from flb_parser_json_do and flb_parser_do). | ||
| CVE-2021-27186 | — | >= 1.6.10, < 1.6.11 | 1.6.11 | Feb 10, 2021 | Fluent Bit 1.6.10 has a NULL pointer dereference when an flb_malloc return value is not validated by flb_avro.c or http_server/api/v1/metrics.c. | ||
| CVE-2020-35963 | — | < 1.6.4 | 1.6.4 | Jan 3, 2021 | flb_gzip_compress in flb_gzip.c in Fluent Bit before 1.6.4 has an out-of-bounds write because it does not use the correct calculation of the maximum gzip data-size expansion. |
- CVE-2025-12978Nov 24, 2025affected >= 4.1.0, < 4.1.1fixed 4.1.1
Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching. This allows crafted inputs where a tag prefix is incorrectly treated as a full match. A remote attacker with authentic
- CVE-2025-12969Nov 24, 2025affected >= 4.1.0, < 4.1.1fixed 4.1.1
Fluent Bit in_forward input plugin does not properly enforce the security.users authentication mechanism under certain configuration conditions. This allows remote attackers with network access to the Fluent Bit instance exposing the forward input to send unauthenticated data. By
- CVE-2025-12972Nov 24, 2025affected >= 4.1.0, < 4.1.1fixed 4.1.1
Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option is omitted, the plugin uses untrusted tag input to construct file paths. This allows attackers with network access to craft tags containing path traversal sequen
- CVE-2025-12977Nov 24, 2025affected >= 4.1.0, < 4.1.1fixed 4.1.1
Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply tag_key values containing special characters such as newlines or ../ that are
- CVE-2025-12970Nov 24, 2025affected >= 4.1.0, < 4.1.1fixed 4.1.1
The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed size stack buffer without validating length. An attacker who can create containers or control container names, can supply a long name that overflows the buffer, leading to process c
- CVE-2025-29478Apr 7, 2025affected >= 0
An issue in fluent-bit v.3.7.2 allows a local attacker to cause a denial of service via the cfl_list_size in cfl_list.h:165.
- CVE-2025-29477Apr 4, 2025affected >= 0
An issue in fluent-bit v.3.7.2 allows a local attacker to cause a denial of service via the function consume_event.
- CVE-2024-50609Feb 18, 2025affected >= 3.1.9, < 3.1.10fixed 3.1.10
An issue was discovered in Fluent Bit 3.1.9. When the OpenTelemetry input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the server. Improper handling of the case when Content-Length is 0 allows a user (with
- CVE-2024-50608Feb 18, 2025affected >= 3.1.9, < 3.1.10fixed 3.1.10
An issue was discovered in Fluent Bit 3.1.9. When the Prometheus Remote Write input plugin is running and listening on an IP address and port, one can send a packet with Content-Length: 0 and it crashes the server. Improper handling of the case when Content-Length is 0 allows a u
- CVE-2024-4323May 20, 2024affected >= 2.0.7, < 3.0.4fixed 3.0.4
A memory corruption vulnerability in Fluent Bit versions 2.0.7 thru 3.0.3. This issue lies in the embedded http server’s parsing of trace requests and may result in denial of service conditions, information disclosure, or remote code execution.
- CVE-2024-23722Mar 26, 2024affected >= 2.1.8, < 2.2.2fixed 2.2.2
In Fluent Bit 2.1.8 through 2.2.1, a NULL pointer dereference can be caused via an invalid HTTP payload with the content type of x-www-form-urlencoded. It crashes and does not restart. This could result in logs not being delivered properly.
- CVE-2024-26455Feb 26, 2024affected >= 2.2.2, < 2.2.3fixed 2.2.3
fluent-bit 2.2.2 contains a Use-After-Free vulnerability in /fluent-bit/plugins/custom_calyptia/calyptia.c.
- CVE-2021-46879Apr 11, 2023affected >= 1.7.1, < 1.7.2fixed 1.7.2
An issue was discovered in Treasure Data Fluent Bit 1.7.1, a wrong variable is used to get the msgpack data resulting in a heap overflow in flb_msgpack_gelf_value_ext. An attacker can craft a malicious file and tick the victim to open the file with the software, triggering a heap
- CVE-2021-46878Apr 11, 2023affected >= 1.7.1, < 1.7.2fixed 1.7.2
An issue was discovered in Treasure Data Fluent Bit 1.7.1, erroneous parsing in flb_pack_msgpack_to_json_format leads to type confusion bug that interprets whatever is on the stack as msgpack maps and arrays, leading to use-after-free. This can be used by an attacker to craft a s
- CVE-2021-36088Jul 1, 2021affected >= 1.7.0, < 1.7.5fixed 1.7.5
Fluent Bit (aka fluent-bit) 1.7.0 through 1.7.4 has a double free in flb_free (called from flb_parser_json_do and flb_parser_do).
- CVE-2021-27186Feb 10, 2021affected >= 1.6.10, < 1.6.11fixed 1.6.11
Fluent Bit 1.6.10 has a NULL pointer dereference when an flb_malloc return value is not validated by flb_avro.c or http_server/api/v1/metrics.c.
- CVE-2020-35963Jan 3, 2021affected < 1.6.4fixed 1.6.4
flb_gzip_compress in flb_gzip.c in Fluent Bit before 1.6.4 has an out-of-bounds write because it does not use the correct calculation of the maximum gzip data-size expansion.