NR25-02- Fluent Bit Plugins (CVE-2025-12969, CVE-2025-12970, CVE-2025-12972, CVE-2025-12977, CVE-2025-12978)

Vulnerability Identifier: NR25-02

Priority: High

Summary

By default, New Relic does not include or enable the specific plugins that are affected by the security vulnerabilities identified in certain versions of Fluent Bit. The specific plugins and their associated vulnerabilities are:

Forward input plugin (in_forward) - Affected by CVE-2025-12969
Docker input plugin (in_docker) - Affected by CVE-2025-12970
File output plugin (out_file) - Affected by CVE-2025-12972
HTTP, Splunk, and Elasticsearch input plugins (in_http, in_splunk, in_elasticsearch) - Affected by CVE-2025-12978 & CVE-2025-12977

However, to support customers that have enabled these optional plugins, we recommend customers to upgrade to the latest available versions of these packages which bundle the patched version of Fluent Bit (v4.0.13, v4.1.1, v4.2.0 or higher):

Infrastructure Agent - Windows
Infrastructure Agent - Linux
Kubernetes Plugin
New Relic Fluent Bit Output Plugin Docker Image

Action required

New Relic strongly advises our customers who are using the aforementioned log forwarding instrumentation to take immediate action as follows. If you are unable to upgrade to the latest agent versions containing Fluent Bit v4.0.13, v4.1.1, or v4.2.0, we recommend disabling the affected plugins specified above to mitigate the risk.

	Solution	Action Required
Infrastructure agent - Windows	Upgrade the Infrastructure agent to version v1.71.2 or later
Infrastructure agent - Linux	Upgrade the Infrastructure agent to version v1.71.2 or later AND update Fluent Bit to version v4.2.0 or later
Kubernetes plugin	Upgrade using either newrelic-logging-1.33.0 or nri-bundle-6.0.28
New Relic Fluent Bit Output Plugin Docker Image	Update to version 3.2.1

New Relic has provided the following resources to assist with these updates:

Frequently Asked Questions

How can I find out if I'm using the vulnerable plugins?
- Check your Fluent Bit configuration file(s) for use of the tag_key parameter in input plugins e.g. HTTP, Splunk, or Elasticsearch which may leave your installation vulnerable to the attacks described in CVE-2025-12978 and CVE-2025-12977
- Check your Fluent Bit configuration file(s) for use of the File output plugin, especially where the File configuration parameter has not been set, which may leave your installation vulnerable to the attacks described in CVE-2025-12972
- Check your Fluent Bit configuration file(s) for use of the Docker metrics input plugin, which may leave your installation vulnerable to the attacks described in CVE-2025-12970
- Check your Fluent Bit configuration file(s) for use of the Forward input plugin, which may leave your installation vulnerable to the attacks described in CVE-2025-12969
I am using the Infrastructure Agent but have disabled log forwarding. Am I impacted?
If you previously used New Relic log forwarding instrumentation (listed above), and used the affected plugins, you might still be impacted. New Relic recommends that you upgrade your agents, or at minimum disable the affected plugins. Additionally, New Relic recommends that all customers identify any other uses of Fluent Bit in their environments and update them to at least version v4.0.13, v4.1.1, or v4.2.0.
How can I find out which Fluent Bit version I'm using?

	Agent	Steps
Infrastructure agent and standalone Fluent Bit	For your Infrastructure agents, navigate to the Infrastructure Inventory UI and search for Fluent Bit. Then, check the Fluent Bit version installed on a given host
Kubernetes	For New Relic Logging Helm chart version 1.25.0 or higher, Navigate to the Installed tab and search for Fluent bit in the entities field Otherwise, run the following NRQL query: `FROM K8sContainerSample select latest(containerImage) Where podName like '%newrelic-logging%' FACET clusterName` Then, check which Fluent Bit version was installed with the output plugin.

What should I do if there are no patched artifacts available for my OS?
- There is no patched FluentBit upstream package available for Ubuntu 16, 18, and 20. If you are running on any of these distributions, we recommend you remove the affected input plugins to protect from vulnerabilities.
- We are working to provide patched packages for SLES 12.5 and 15.4 as soon as possible. Until we roll out the updated packages for these distributions, we recommend removing the affected plugins to protect from vulnerabilities.
- We are working to provide a patched package for Debian 13 as soon as possible. Until we roll out a patched package for this distribution, we recommend removing the affected plugins to protect from vulnerabilities.