Platform
splunk
Component
splunk-enterprise
Fixed in
10.0.2
9.4.6
9.3.8
9.2.10
10.1.2507.6
10.0.2503.7
9.3.2411.117
CVE-2025-20385 is a Cross-Site Scripting (XSS) vulnerability affecting Splunk Enterprise versions prior to 10.1.2507.6 and Splunk Cloud Platform versions prior to 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117. An attacker with the adminallobjects role can exploit this vulnerability to execute malicious JavaScript code within a user's browser. The vulnerability was published on December 3, 2025, and a fix is available in the specified versions.
This XSS vulnerability allows a malicious user with the adminallobjects role to inject arbitrary JavaScript code into the Splunk Enterprise interface. This code will then execute in the context of other users' browsers when they navigate to the affected collection. An attacker could leverage this to steal session cookies, redirect users to phishing sites, or deface the Splunk interface. The impact is particularly concerning given the high privileges associated with the adminallobjects role, potentially granting an attacker access to sensitive data and control over the Splunk environment. Successful exploitation could lead to unauthorized data access and modification, impacting the integrity and confidentiality of Splunk data.
CVE-2025-20385 is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet available, but the vulnerability's relatively simple nature suggests that one may emerge. The LOW CVSS score reflects the requirement for an adminallobjects role, limiting the potential attack surface. The vulnerability was publicly disclosed on December 3, 2025.
Exploit Status
EPSS
0.05% (14% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-20385 is to upgrade Splunk Enterprise to version 10.1.2507.6 or later, or Splunk Cloud Platform to version 10.1.2507.6, 10.0.2503.7, or 9.3.2411.117. If immediate upgrade is not possible, consider restricting the adminallobjects role to only trusted users. While a direct WAF rule is difficult to implement due to the nature of XSS, carefully review and restrict allowed HTML tags and attributes within collection names and descriptions. After upgrade, confirm the vulnerability is resolved by attempting to inject a simple JavaScript payload within a collection's navigation bar and verifying that it does not execute.
Update Splunk Enterprise to version 10.0.2, 9.4.6, 9.3.8, 9.2.10 or later. For Splunk Cloud Platform, update to version 10.1.2507.6, 10.0.2503.7 or 9.3.2411.117 or later. This corrects the stored XSS vulnerability in the navigation bar.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-20385 is a Cross-Site Scripting (XSS) vulnerability in Splunk Enterprise versions before 10.1.2507.6, allowing attackers with the adminallobjects role to execute JavaScript.
You are affected if you are running Splunk Enterprise versions earlier than 10.1.2507.6 or Splunk Cloud Platform versions earlier than 10.1.2507.6, 10.0.2503.7, and 9.3.2411.117, and have users with the adminallobjects role.
Upgrade Splunk Enterprise to version 10.1.2507.6 or later, or Splunk Cloud Platform to version 10.1.2507.6, 10.0.2503.7, or 9.3.2411.117. Restrict the adminallobjects role if immediate upgrade is not possible.
There are currently no confirmed reports of active exploitation, but the vulnerability's simplicity suggests it may be targeted in the future.
Refer to the official Splunk security advisory for CVE-2025-20385 on the Splunk website (link to advisory would be here if available).
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.