Skip to main content

Fluent Bit

15 CVEs product

Monthly

CVE-2025-12978 MEDIUM This Month

Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Fluent Bit
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2025-12977 CRITICAL This Week

Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Elastic Fluent Bit
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-12972 MEDIUM This Month

Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Fluent Bit
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-12970 HIGH This Month

The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed size stack buffer without validating length. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow RCE Fluent Bit Docker
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2025-12969 MEDIUM This Month

Fluent Bit in_forward input plugin does not properly enforce the security.users authentication mechanism under certain configuration conditions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Fluent Bit
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-29478 MEDIUM POC This Month

An issue in fluent-bit v.3.7.2 allows a local attacker to cause a denial of service via the cfl_list_size in cfl_list.h:165. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Fluent Bit
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2025-29477 MEDIUM POC This Month

An issue in fluent-bit v.3.7.2 allows a local attacker to cause a denial of service via the function consume_event. Rated medium severity (CVSS 5.5). Public exploit code available and no vendor patch available.

Denial Of Service Fluent Bit
NVD GitHub
CVSS 3.1
5.5
EPSS
0.1%
CVE-2024-50609 HIGH POC This Week

An issue was discovered in Fluent Bit 3.1.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Null Pointer Dereference Denial Of Service Fluent Bit
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-50608 HIGH POC This Week

An issue was discovered in Fluent Bit 3.1.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Null Pointer Dereference Denial Of Service Fluent Bit
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2024-4323 CRITICAL POC PATCH THREAT Act Now

A memory corruption vulnerability in Fluent Bit versions 2.0.7 thru 3.0.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Heap Overflow Buffer Overflow RCE Information Disclosure Denial Of Service +1
NVD GitHub
CVSS 3.1
9.8
EPSS
28.3%
CVE-2024-23722 HIGH POC PATCH This Week

In Fluent Bit 2.1.8 through 2.2.1, a NULL pointer dereference can be caused via an invalid HTTP payload with the content type of x-www-form-urlencoded. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Null Pointer Dereference Denial Of Service Fluent Bit
NVD GitHub
CVSS 3.1
7.5
EPSS
0.9%
CVE-2024-26455 HIGH POC This Week

fluent-bit 2.2.2 contains a Use-After-Free vulnerability in /fluent-bit/plugins/custom_calyptia/calyptia.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Information Disclosure Memory Corruption Fluent Bit
NVD GitHub
CVSS 3.1
7.5
EPSS
0.7%
CVE-2021-36088 CRITICAL POC PATCH Act Now

Fluent Bit (aka fluent-bit) 1.7.0 through 1.7.4 has a double free in flb_free (called from flb_parser_json_do and flb_parser_do). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Fluent Bit
NVD GitHub
CVSS 3.1
9.8
EPSS
2.4%
CVE-2021-27186 HIGH POC PATCH This Week

Fluent Bit 1.6.10 has a NULL pointer dereference when an flb_malloc return value is not validated by flb_avro.c or http_server/api/v1/metrics.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Null Pointer Dereference Denial Of Service Fluent Bit
NVD GitHub
CVSS 3.1
7.5
EPSS
2.0%
CVE-2019-9749 HIGH POC This Week

An issue was discovered in the MQTT input plugin in Fluent Bit through 1.0.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Fluent Bit
NVD GitHub
CVSS 3.1
7.5
EPSS
1.7%
EPSS 0% CVSS 5.4
MEDIUM This Month

Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matching. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Code Injection Fluent Bit
NVD
EPSS 0% CVSS 9.1
CRITICAL This Week

Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Elastic Fluent Bit
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Path Traversal Fluent Bit
NVD
EPSS 0% CVSS 8.8
HIGH This Month

The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed size stack buffer without validating length. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Buffer Overflow RCE Fluent Bit +1
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

Fluent Bit in_forward input plugin does not properly enforce the security.users authentication mechanism under certain configuration conditions. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Fluent Bit
NVD
EPSS 0% CVSS 5.5
MEDIUM POC This Month

An issue in fluent-bit v.3.7.2 allows a local attacker to cause a denial of service via the cfl_list_size in cfl_list.h:165. Rated medium severity (CVSS 5.5), this vulnerability is low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Fluent Bit
NVD GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

An issue in fluent-bit v.3.7.2 allows a local attacker to cause a denial of service via the function consume_event. Rated medium severity (CVSS 5.5). Public exploit code available and no vendor patch available.

Denial Of Service Fluent Bit
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

An issue was discovered in Fluent Bit 3.1.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Null Pointer Dereference Denial Of Service Fluent Bit
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC This Week

An issue was discovered in Fluent Bit 3.1.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Null Pointer Dereference Denial Of Service Fluent Bit
NVD GitHub
EPSS 28% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

A memory corruption vulnerability in Fluent Bit versions 2.0.7 thru 3.0.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Heap Overflow Buffer Overflow RCE +3
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC PATCH This Week

In Fluent Bit 2.1.8 through 2.2.1, a NULL pointer dereference can be caused via an invalid HTTP payload with the content type of x-www-form-urlencoded. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Null Pointer Dereference Denial Of Service Fluent Bit
NVD GitHub
EPSS 1% CVSS 7.5
HIGH POC This Week

fluent-bit 2.2.2 contains a Use-After-Free vulnerability in /fluent-bit/plugins/custom_calyptia/calyptia.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Use After Free Information Disclosure Memory Corruption +1
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC PATCH Act Now

Fluent Bit (aka fluent-bit) 1.7.0 through 1.7.4 has a double free in flb_free (called from flb_parser_json_do and flb_parser_do). Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Fluent Bit
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

Fluent Bit 1.6.10 has a NULL pointer dereference when an flb_malloc return value is not validated by flb_avro.c or http_server/api/v1/metrics.c. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Null Pointer Dereference Denial Of Service Fluent Bit
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC This Week

An issue was discovered in the MQTT input plugin in Fluent Bit through 1.0.4. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Fluent Bit
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy