Splunk has released patches for multiple vulnerabilities in its Enterprise and Cloud Platform products, some of which could allow attackers to execute unauthorized JavaScript code, access sensitive information, or cause a denial-of-service (DoS) condition.
The advisories, published on October 1, 2025, detail six security flaws, with severity ratings ranging from Medium to High.
The most critical vulnerability is a Server-Side Request Forgery (SSRF) flaw, tracked as CVE-2025-20371, with a high CVSS score of 7.5.
This vulnerability could allow an unauthenticated attacker to trigger a blind SSRF, potentially enabling them to perform REST API calls on behalf of an authenticated, high-privileged user.
Successful exploitation requires the enableSplunkWebClientNetloc setting to be enabled and likely involves phishing the victim to initiate a request from their browser.
Code Execution and Information Disclosure Flaws
Two vulnerabilities directly address the execution of unauthorized JavaScript code, a form of cross-site scripting (XSS).
- CVE-2025-20367 (CVSS: 5.7): A low-privileged user can craft a malicious payload through the
dataset.commandparameter of a specific endpoint, leading to the execution of JavaScript code in a user’s browser. - CVE-2025-20368 (CVSS: 5.7): Similarly, a low-privileged user can inject a malicious payload into the error messages and job inspection details of a saved search, resulting in unauthorized code execution.
Another significant flaw, CVE-2025-20366 (CVSS: 6.5), allows for information disclosure. In this scenario, a low-privileged user without ‘admin’ or ‘power’ roles could access the results of an administrative search job running in the background.
If the attacker correctly guesses the unique Search ID (SID) of the job, they could retrieve potentially sensitive search results.
Denial of Service and XXE Vulnerabilities
The security update also addresses three medium-severity vulnerabilities that could impact system availability and integrity:
- CVE-2025-20370 (CVSS: 4.9): A user with the
change_authenticationcapability can send multiple LDAP bind requests to an internal endpoint, causing high CPU usage and a potential DoS that requires an instance restart to resolve. - CVE-2025-20369 (CVSS: 4.6): A low-privileged user can perform an XML External Entity (XXE) injection through the dashboard tab label field, which could also lead to a DoS attack.
Affected Products and Mitigations
The vulnerabilities affect multiple versions of Splunk Enterprise and Splunk Cloud Platform. The affected Splunk Enterprise versions include those below 9.4.4, 9.3.6, and 9.2.8. For some flaws, version 10.0.0 is also affected.
Splunk has released patches and urges customers to upgrade to the following or later versions:
| CVE ID | Vulnerability Type | CVSS 3.1 Score | Affected Product | Affected Versions | Fixed Versions |
|---|---|---|---|---|---|
| CVE-2025-20366 | Information Disclosure | 6.5 (Medium) | Splunk Enterprise | 9.4.0 – 9.4.3 9.3.0 – 9.3.5 9.2.0 – 9.2.7 | 9.4.4 9.3.6 9.2.8 |
| Splunk Cloud Platform | Below 9.3.2411.111 Below 9.3.2408.119 Below 9.2.2406.122 | 9.3.2411.111 9.3.2408.119 9.2.2406.122 | |||
| CVE-2025-20367 | Cross-Site Scripting (XSS) | 5.7 (Medium) | Splunk Enterprise | 9.4.0 – 9.4.3 9.3.0 – 9.3.5 9.2.0 – 9.2.7 | 9.4.4 9.3.6 9.2.8 |
| Splunk Cloud Platform | Below 9.3.2411.109 Below 9.3.2408.119 Below 9.2.2406.122 | 9.3.2411.109 9.3.2408.119 9.2.2406.122 | |||
| CVE-2025-20368 | Cross-Site Scripting (XSS) | 5.7 (Medium) | Splunk Enterprise | 9.4.0 – 9.4.3 9.3.0 – 9.3.5 9.2.0 – 9.2.7 | 9.4.4 9.3.6 9.2.8 |
| Splunk Cloud Platform | Below 9.3.2411.108 Below 9.3.2408.118 Below 9.2.2406.123 | 9.3.2411.108 9.3.2408.118 9.2.2406.123 | |||
| CVE-2025-20369 | XXE Injection | 4.6 (Medium) | Splunk Enterprise | 9.4.0 – 9.4.3 9.3.0 – 9.3.5 9.2.0 – 9.2.7 | 9.4.4 9.3.6 9.2.8 |
| Splunk Cloud Platform | Below 9.3.2411.108 Below 9.3.2408.118 Below 9.2.2406.123 | 9.3.2411.108 9.3.2408.118 9.2.2406.123 | |||
| CVE-2025-20370 | Denial of Service (DoS) | 4.9 (Medium) | Splunk Enterprise | 10.0.0 9.4.0 – 9.4.3 9.3.0 – 9.3.5 9.2.0 – 9.2.7 | 10.0.1 9.4.4 9.3.6 9.2.8 |
| Splunk Cloud Platform | Below 9.3.2411.108 Below 9.3.2408.118 Below 9.2.2406.123 | 9.3.2411.108 9.3.2408.118 9.2.2406.123 | |||
| CVE-2025-20371 | Server-Side Request Forgery (SSRF) | 7.5 (High) | Splunk Enterprise | 10.0.0 9.4.0 – 9.4.3 9.3.0 – 9.3.5 9.2.0 – 9.2.7 | 10.0.1 9.4.4 9.3.6 9.2.8 |
| Splunk Cloud Platform | Below 9.3.2411.109 Below 9.3.2408.119 Below 9.2.2406.122 | 9.3.2411.109 9.3.2408.119 9.2.2406.122 |
Splunk has confirmed it is actively patching all Splunk Cloud Platform instances and will notify customers upon completion.
For users unable to apply the updates immediately, several workarounds are available. A common mitigation for many of the vulnerabilities is to disable Splunk Web if it is not required.
For the SSRF flaw (CVE-2025-20371), administrators can mitigate the risk by setting enableSplunkWebClientNetloc to false in the web.conf file.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
