Splunk Vulnerability CVE-2025-20297 Allows XSS Attacks via Dashboard PDF Rendering
Splunk Inc. has disclosed a reflected cross-site scripting (XSS) vulnerability affecting both Splunk Enterprise and Splunk Cloud Platform, tracked as CVE-2025-20297. The flaw is detailed in Splunk’s security advisory SVD-2025-0601 and rated medium with a CVSSv3.1 score of 4.3.
Despite the moderate score, the flaw poses a real threat due to its ability to be triggered by low-privileged users and without user interaction.
Vulnerability Details: Reflected XSS in PDF Generation Endpoint
The vulnerability resides in the pdfgen/render REST endpoint in Splunk Web, responsible for rendering dashboard PDFs. Attackers with minimal privileges can craft a malicious payload that executes unauthorized JavaScript in another user’s browser when the PDF is generated.
Key Characteristics:
Type: Reflected XSS (CWE-79)
Endpoint:
/en-US/app/<app_name>/pdfgen/renderAccess Needed: Authenticated user with any role except “admin” or “power”
Interaction: None required from the victim
Impact: Possible session hijacking, data exfiltration
This makes the vulnerability accessible to a broader range of attackers who have basic credentials but no elevated access.
CVSS Vector Breakdown:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector: Network
Complexity: Low
Privileges: Low
User Interaction: None
Confidentiality: Limited impact
Integrity & Availability: Not impacted
Affected Versions and Patching Guidance
The issue affects several versions of Splunk Enterprise and Splunk Cloud. Splunk Enterprise 9.1 is not impacted.
| Product | Affected Versions | Fixed Version |
|---|---|---|
| Splunk Enterprise 9.4 | 9.4.1 | 9.4.2 |
| Splunk Enterprise 9.3 | 9.3.0 – 9.3.3 | 9.3.4 |
| Splunk Enterprise 9.2 | 9.2.0 – 9.2.5 | 9.2.6 |
| Splunk Enterprise 9.1 | Not Affected | 9.1.9 |
| Splunk Cloud 9.3.2411 | < 9.3.2411.102 | 9.3.2411.102 |
| Splunk Cloud 9.3.2408 | < 9.3.2408.111 | 9.3.2408.111 |
| Splunk Cloud 9.2.2406 | < 9.2.2406.118 | 9.2.2406.118 |
Mitigation Steps
Upgrade Immediately
Splunk recommends upgrading to the fixed versions listed above.
Splunk Cloud users are automatically receiving patches.
Temporary Workaround
For environments where upgrading is not immediately possible, disable Splunk Web to block the vulnerable component:
Edit
web.confDisable Web UI, noting that this will disable dashboards and PDF rendering
Additional Recommendations
Audit user privileges: Restrict access to essential roles only.
Monitor logs for any access attempts to
pdfgen/render.Sanitize user input rigorously in custom apps or dashboards.
Security Impact and Risk
Although classified as a medium-severity vulnerability, the lack of required user interaction and low privilege threshold significantly elevate its risk in real-world environments. A successful exploit could enable:
Session hijacking
JavaScript-based phishing attacks
Data exfiltration from users with access to sensitive dashboards
Splunk credits Klevis Luli for responsibly disclosing this vulnerability.
Conclusion
The CVE-2025-20297 XSS vulnerability in Splunk’s dashboard rendering system is a stark reminder that even non-critical CVSS ratings can pose serious security challenges—especially when the exploit requires minimal permissions.
Organizations using Splunk Enterprise or Splunk Cloud should apply the latest patches without delay and consider additional hardening of user access and application endpoints.
Click below and ‘share’ this article!