Treasuredata Fluent_bit
18 CVEs affecting Treasuredata Fluent_bit. Latest disclosed: 2025-11-24. Critical: 3, High: 10.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2024-4323 | Critical | 9.8 | 2024-05-20 | A memory corruption vulnerability in Fluent Bit versions 2.0.7 thru 3.0.3. This issue lies in the embedded http server’s parsing of trace requests and may resu… |
CVE-2021-36088 | Critical | 9.8 | 2021-07-01 | Fluent Bit (aka fluent-bit) 1.7.0 through 1.7.4 has a double free in flb_free (called from flb_parser_json_do and flb_parser_do). |
CVE-2025-12977 | Critical | 9.1 | 2025-11-24 | Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins fail to sanitize tag_key inputs. An attacker with network access or the ability to write reco… |
CVE-2025-12970 | High | 8.8 | 2025-11-24 | The extract_name function in Fluent Bit in_docker input plugin copies container names into a fixed size stack buffer without validating length. An attacker who… |
CVE-2021-46879 | High | 7.8 | 2023-04-11 | An issue was discovered in Treasure Data Fluent Bit 1.7.1, a wrong variable is used to get the msgpack data resulting in a heap overflow in flb_msgpack_gelf_va… |
CVE-2021-46878 | High | 7.8 | 2023-04-11 | An issue was discovered in Treasure Data Fluent Bit 1.7.1, erroneous parsing in flb_pack_msgpack_to_json_format leads to type confusion bug that interprets wha… |
CVE-2020-35963 | High | 7.8 | 2021-01-03 | flb_gzip_compress in flb_gzip.c in Fluent Bit before 1.6.4 has an out-of-bounds write because it does not use the correct calculation of the maximum gzip data-… |
CVE-2024-50609 | High | 7.5 | 2025-02-18 | An issue was discovered in Fluent Bit 3.1.9. When the OpenTelemetry input plugin is running and listening on an IP address and port, one can send a packet with… |
CVE-2024-50608 | High | 7.5 | 2025-02-18 | An issue was discovered in Fluent Bit 3.1.9. When the Prometheus Remote Write input plugin is running and listening on an IP address and port, one can send a p… |
CVE-2024-23722 | High | 7.5 | 2024-03-26 | In Fluent Bit 2.1.8 through 2.2.1, a NULL pointer dereference can be caused via an invalid HTTP payload with the content type of x-www-form-urlencoded. It cras… |
CVE-2024-26455 | High | 7.5 | 2024-02-26 | fluent-bit 2.2.2 contains a Use-After-Free vulnerability in /fluent-bit/plugins/custom_calyptia/calyptia.c. |
CVE-2021-27186 | High | 7.5 | 2021-02-10 | Fluent Bit 1.6.10 has a NULL pointer dereference when an flb_malloc return value is not validated by flb_avro.c or http_server/api/v1/metrics.c. |
CVE-2019-9749 | High | 7.5 | 2019-03-13 | An issue was discovered in the MQTT input plugin in Fluent Bit through 1.0.4. When this plugin acts as an MQTT broker (server), it mishandles incoming network… |
CVE-2025-12969 | Medium | 6.5 | 2025-11-24 | Fluent Bit in_forward input plugin does not properly enforce the security.users authentication mechanism under certain configuration conditions. This allows re… |
CVE-2025-29478 | Medium | 5.5 | 2025-04-07 | An issue in fluent-bit v.3.7.2 allows a local attacker to cause a denial of service via the cfl_list_size in cfl_list.h:165. |
CVE-2025-29477 | Medium | 5.5 | 2025-04-04 | An issue in fluent-bit v.3.7.2 allows a local attacker to cause a denial of service via the function consume_event. |
CVE-2025-12978 | Medium | 5.4 | 2025-11-24 | Fluent Bit in_http, in_splunk, and in_elasticsearch input plugins contain a flaw in the tag_key validation logic that fails to enforce exact key-length matchin… |
CVE-2025-12972 | Medium | 5.3 | 2025-11-24 | Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option is omitted, the plugin uses untrusted ta… |