CVE-2025-20368
📋 TL;DR
This CVE describes a cross-site scripting (XSS) vulnerability in Splunk Enterprise and Splunk Cloud Platform where low-privileged users can inject malicious JavaScript through saved search error messages and job inspection details. When exploited, this allows attackers to execute arbitrary JavaScript in victims' browsers, potentially leading to session hijacking or unauthorized actions. Affected users include all organizations running vulnerable Splunk versions with non-admin users who can create or view saved searches.
💻 Affected Systems
- Splunk Enterprise
- Splunk Cloud Platform
📦 What is this software?
Splunk by Splunk
Splunk by Splunk
Splunk by Splunk
⚠️ Risk & Real-World Impact
Worst Case
An attacker could steal administrator session cookies, perform actions as authenticated users, redirect users to malicious sites, or deploy ransomware through browser-based attacks.
Likely Case
Attackers with low-privileged accounts could perform session hijacking, steal sensitive data displayed in Splunk dashboards, or manipulate search results to mislead analysts.
If Mitigated
With proper input validation and output encoding, the attack would fail to execute JavaScript, limiting impact to benign error message display.
🎯 Exploit Status
Exploitation requires authenticated access with low privileges. The attack leverages built-in saved search functionality rather than requiring complex bypass techniques.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Splunk Enterprise: 9.4.4, 9.3.6, 9.2.8; Splunk Cloud Platform: 9.3.2411.108, 9.3.2408.118, 9.2.2406.123
Vendor Advisory: https://advisory.splunk.com/advisories/SVD-2025-1003
Restart Required: Yes
Instructions:
1. Backup your Splunk configuration and data. 2. Download the appropriate patch from Splunk's downloads page. 3. Stop all Splunk services. 4. Apply the patch following Splunk's upgrade documentation. 5. Restart Splunk services. 6. Verify the version is updated.
🔧 Temporary Workarounds
Restrict Saved Search Creation
allLimit which users can create saved searches to reduce attack surface
splunk edit user <username> -role <role_without_saved_search_permissions>
Implement Content Security Policy
allAdd CSP headers to restrict JavaScript execution from untrusted sources
Add 'Content-Security-Policy' header to web.conf with appropriate directives
🧯 If You Can't Patch
- Implement strict input validation and output encoding for all user-controlled data in saved searches
- Monitor for unusual saved search creation or modification patterns and review saved search content regularly
🔍 How to Verify
Check if Vulnerable:
Check Splunk version via web interface (Settings > Server Info) or CLI. Compare against affected versions list.Check Version:
splunk versionVerify Fix Applied:
Verify version is at or above patched versions. Test saved search functionality to ensure error messages are properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual saved search creation/modification patterns
- JavaScript code in saved search error messages
- Multiple failed saved search executions with suspicious content
Network Indicators:
- Unexpected JavaScript loading in Splunk web traffic
- Cross-origin requests from Splunk interface to external domains
SIEM Query:
index=_internal source=*web_access* saved_search AND (javascript OR script OR eval)