Splunk Enterprise Web ANSI Escape Code Injection via HTTP Requests (CVE-2025-20384)

Critical Vulnerability Information Advisory ID: SVD-2025-1203 CVE ID: CVE-2025-20384 Published: 2025-12-03 Last Update: 2025-12-03 CVSSv3.1 Score: 5.3, Medium CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N CWE: CWE-117 Bug ID: VULN-43126 Description In Splunk Enterprise versions prior to 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and in Splunk Cloud Platform versions prior to 10.1.2507.4, 10.0.2503.6, and 9.3.2411.117, unauthenticated attackers can inject American National Standards Institute (ANSI) escape codes into Splunk log files via specially crafted HTTP requests to the web endpoint, due to improper validation. This could allow them to poison, forge, or obfuscate sensitive log data, potentially impacting log integrity and detection capabilities. Solution Upgrade Splunk Enterprise to version 10.0.1, 9.4.6, 9.3.8, 9.2.10, or later. Splunk is actively monitoring and patching Splunk Cloud Platform instances. Product Status Mitigations and Workarounds This vulnerability affects instances with Splunk Web enabled. Disabling Splunk Web is a possible temporary workaround. See Disable unnecessary Splunk Enterprise components and the web.conf configuration specification for more information on disabling Splunk Web. Detections None Severity Splunk rates this vulnerability as 5.3, Medium, with CVSSv3.1 vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. Acknowledgments STÖK / Fredrik Alexandersson

Goal Reached Thanks to every supporter — we hit 100%!

Splunk Enterprise Web ANSI Escape Code Injection via HTTP Requests (CVE-2025-20384)