Splunk has disclosed six critical security vulnerabilities impacting multiple versions of both Splunk Enterprise and Splunk Cloud Platform. These Splunk vulnerabilities, collectively highlighting serious weaknesses in Splunk’s web components, could allow attackers to execute unauthorized JavaScript code remotely, access sensitive information, and perform server-side request forgery (SSRF) attacks.
Key Cross-Site Scripting (XSS) Splunk Vulnerabilities
Among the most interesting vulnerabilities are two cross-site scripting (XSS) flaws that allow malicious JavaScript execution within user browsers. Notably, CVE-2025-20367 is a reflected XSS vulnerability located in the /app/search/table endpoint, carrying a CVSS score of 5.7. Low-privileged users, those without admin or power roles, can exploit this flaw by crafting malicious payloads via the dataset.command parameter. This attack vector can compromise other users’ sessions and potentially expose sensitive data.
Another related issue, CVE-2025-20368, involves stored XSS via missing field warning messages in Saved Search and Job Inspector features. Similarly, this vulnerability allows low-privileged users to inject malicious code, posing significant risks across affected versions.
Server-Side Request Forgery and Other Flaws
A particularly severe vulnerability is CVE-2025-20371, an unauthenticated blind SSRF flaw affecting Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, as well as various Splunk Cloud Platform versions. With a CVSS score of 7.5, this vulnerability allows attackers to coerce Splunk into making REST API calls on behalf of authenticated high-privilege users.
However, successful exploitation depends on the enableSplunkWebClientNetloc setting being enabled (true) in the web.conf configuration, and typically requires phishing to trick the victim into initiating the request.
Additionally, a denial of service (DoS) vulnerability (CVE-2025-20370) has been identified where users with the change_authentication privilege can send multiple LDAP bind requests, overwhelming the server’s CPU and forcing a restart of the affected instance. This vulnerability holds a medium severity score of 4.9.
Further vulnerabilities include:
- CVE-2025-20369: XML External Entity (XXE) injection through the dashboard label field, which can result in DoS attacks.
- CVE-2025-20366: Improper access control in background job submissions allows low-privileged users to access sensitive search results by guessing unique search job IDs.
Third-Party Package Security Updates
Splunk also addressed multiple vulnerabilities arising from third-party packages used within Splunk Enterprise. Released on the same day, these updates affect versions 10.0.1, 9.4.4, 9.3.6, 9.2.8, and above. Key changes include:
- Removal of vulnerable packages such as protobuf-java and webpack.
- Upgrades of mongod to version 7.0.14 and curl to 8.14.1 to address multiple high-severity CVEs.
- Patching of libxml2 against CVE-2025-32415.
- Upgrading jackson-core to v2.15.0 and mongotools to 100.12.1.
These package updates directly address vulnerabilities that could be exploited for remote code execution or other malicious activities.
Mitigation and Patch Recommendations
Splunk strongly recommends upgrading affected instances to fixed versions to address the identified vulnerabilities:
- Splunk Enterprise: Versions 10.0.1, 9.4.4, 9.3.6, 9.2.8 or higher.
- Splunk Cloud Platform: Ongoing patching is actively managed by Splunk.
Where immediate upgrades are not feasible, some mitigations include:
- Disabling Splunk Web to mitigate vulnerabilities dependent on its components.
- Turning off the enableSplunkWebClientNetloc setting to reduce SSRF risk.
- Removing high-privilege roles, such as change_authentication, to prevent DoS exploits.
No specific detection signatures currently exist for these vulnerabilities.
