ANSI Escape Code Injection in Splunk Enterprise <10.0.1/9.4.6/9.3.8/9.2.10
CVE-2025-20384 Published on December 3, 2025
Unauthenticated Log Injection in Splunk Enterprise
In Splunk Enterprise versions below 10.0.1, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.4, 10.0.2503.6, and 9.3.2411.117.125, an unauthenticated attacker can inject American National Standards Institute (ANSI) escape codes into Splunk log files due to improper validation at the /en-US/static/ web endpoint. This may allow them to poison, forge, or obfuscate sensitive log data through specially crafted HTTP requests, potentially impacting log integrity and detection capabilities.
Weakness Type
Improper Output Neutralization for Logs
The software does not neutralize or incorrectly neutralizes output that is written to logs.
Products Associated with CVE-2025-20384
stack.watch emails you whenever new vulnerabilities are published in Splunk or Splunk Cloud Platform. Just hit a watch button to start following.
Affected Versions
Splunk Enterprise:- Version 10.0 and below 10.0.1 is affected.
- Version 9.4 and below 9.4.6 is affected.
- Version 9.3 and below 9.3.8 is affected.
- Version 9.2 and below 9.2.10 is affected.
- Version 10.1.2507 and below 10.1.2507.4 is affected.
- Version 10.0.2503 and below 10.0.2503.6 is affected.
- Version 9.3.2411 and below 9.3.2411.117 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.