Unauthenticated Blind Server Side Request Forgery (SSRF) in Splunk Enterprise
Advisory ID: SVD-2025-1006
CVE ID: CVE-2025-20371
Published: 2025-10-01
Last Update: 2025-10-01
CVSSv3.1 Score: 7.5, High
CVSSv3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-918
Bug ID: VULN-30005
Description
In Splunk Enterprise versions below 10.0.1, 9.4.4, 9.3.6, and 9.2.8, and Splunk Cloud Platform versions below 9.3.2411.109, 9.3.2408.119, and 9.2.2406.122, an unauthenticated attacker could trigger a blind server-side request forgery (SSRF), potentially letting an attacker perform REST API calls on behalf of an authenticated high-privileged user.
To be successful, the attack requires the enableSplunkWebClientNetloc setting in the web.confconfiguration file to have a value of true. Additionally, the attacker likely has to phish the victim by tricking them into initiating a request from their browser. The unauthenticated attacker should not be able to exploit the vulnerability at will.
See the web.conf configuration specification file for more information on the configuration settings.
Solution
Upgrade Splunk Enterprise to versions 10.0.1, 9.4.4, 9.3.6, 9.2.8, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
| Product | Base Version | Component | Affected Version | Fix Version |
|---|---|---|---|---|
| Splunk Enterprise | 10.0 | REST API | 10.0.0 | 10.0.1 |
| Splunk Enterprise | 9.4 | REST API | 9.4.0 to 9.4.3 | 9.4.4 |
| Splunk Enterprise | 9.3 | REST API | 9.3.0 to 9.3.5 | 9.3.6 |
| Splunk Enterprise | 9.2 | REST API | 9.2.0 to 9.2.7 | 9.2.8 |
| Splunk Cloud Platform | 9.3.2411 | REST API | Below 9.3.2411.109 | 9.3.2411.109 |
| Splunk Cloud Platform | 9.3.2408 | REST API | Below 9.3.2408.119 | 9.3.2408.119 |
| Splunk Cloud Platform | 9.2.2406 | REST API | Below 9.2.2406.122 | 9.2.2406.122 |
Mitigations and Workarounds
To be successful, the attack requires the enableSplunkWebClientNetloc setting in the web.confconfiguration file to have a value of true. An admin can turn the setting off on a Splunk Enterprise instance to mitigate the vulnerability by giving it a value of false.
See the web.conf configuration specification file for more information on the configuration settings.
Detections
None
Severity
Splunk rates this vulnerability a 7.5, High, with a CVSSv3.1 vector of CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H.
If the enableSplunkWebClientNetloc setting has a value of false in the web.conf configuration file for Splunk Enterprise, there should be no impact and the severity would be Informational.
Acknowledgments
Alex Hordijk (hordalex)