CVE-2025-20384

EUVD-2025-201004

03.12.2025, 17:15

In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.6, and 9.3.2411.117.125, an unauthenticated attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files due to improper validation at the /en-US/static/ web endpoint. This may allow them to poison, forge, or obfuscate sensitive log data through specially crafted HTTP requests, potentially impacting log integrity and detection capabilities.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.3 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
cisco	CNA	5.3 MEDIUM				CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 19%

Affected Products (NVD)

Vendor	Product	Version
splunk	splunk	9.2.0 ≤ 𝑥 < 9.2.10
splunk	splunk	9.3.0 ≤ 𝑥 < 9.3.8
splunk	splunk	9.4.0 ≤ 𝑥 < 9.4.6
splunk	splunk	10.0.0
splunk	splunk_cloud_platform	9.3.2411 ≤ 𝑥 < 9.3.2411.117
splunk	splunk_cloud_platform	10.0.2503 ≤ 𝑥 < 10.0.2503.6
splunk	splunk_cloud_platform	10.1.2507 ≤ 𝑥 < 10.1.2507.4

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-117 - Improper Output Neutralization for Logs
The software does not neutralize or incorrectly neutralizes output that is written to logs.

References

https://advisory.splunk.com/advisories/SVD-2025-1203