CVE-2025-20367
📋 TL;DR
This is a cross-site scripting (XSS) vulnerability in Splunk Enterprise and Splunk Cloud Platform that allows low-privileged users to inject malicious JavaScript through the dataset.command parameter. When exploited, this could lead to unauthorized JavaScript execution in victims' browsers. Users of affected Splunk versions without proper patching are vulnerable.
💻 Affected Systems
- Splunk Enterprise
- Splunk Cloud Platform
📦 What is this software?
Splunk by Splunk
Splunk by Splunk
Splunk by Splunk
⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal session cookies, perform actions as authenticated users, redirect users to malicious sites, or compromise user accounts through client-side attacks.
Likely Case
Attackers with low-privileged access could perform session hijacking, credential theft, or limited privilege escalation within the Splunk interface.
If Mitigated
With proper input validation and output encoding, the attack would be prevented, though the vulnerability would still exist in unpatched systems.
🎯 Exploit Status
Requires authenticated low-privileged user access; exploitation involves crafting malicious payloads in the dataset.command parameter
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Splunk Enterprise: 9.4.4, 9.3.6, 9.2.8; Splunk Cloud Platform: 9.3.2411.109, 9.3.2408.119, 9.2.2406.122
Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2025-1002
Restart Required: Yes
Instructions:
1. Download appropriate patch version from Splunk downloads page. 2. Backup current installation. 3. Install patch following Splunk upgrade documentation. 4. Restart Splunk services.
🔧 Temporary Workarounds
Input Validation Filter
allImplement input validation for the dataset.command parameter to reject malicious payloads
Configure web application firewall rules to filter malicious dataset.command parameters
Access Restriction
allRestrict access to the /app/search/table endpoint to only trusted users
Configure Splunk role-based access controls to limit who can access search functionality
🧯 If You Can't Patch
- Implement strict Content Security Policy (CSP) headers to prevent JavaScript execution
- Monitor and audit user activities, especially low-privileged user interactions with search endpoints
🔍 How to Verify
Check if Vulnerable:
Check Splunk version via web interface or command line; compare against affected versionsCheck Version:
On Splunk server: $SPLUNK_HOME/bin/splunk versionVerify Fix Applied:
Verify version is at or above patched versions; test dataset.command parameter with safe test payloads📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to /app/search/table endpoint
- Suspicious dataset.command parameter values in web logs
Network Indicators:
- Multiple requests with encoded JavaScript in parameters
- Unusual outbound connections from Splunk web interface
SIEM Query:
index=_internal sourcetype=splunkd_access uri_path="/app/search/table" | search dataset.command=*javascript* OR dataset.command=*script*