Third-Party Package Updates in Python for Scientific Computing - June 2025
Advisory ID: SVD-2025-0605
CVE ID: Multiple
Published: 2025-06-12
Last Update: 2025-06-12
Description
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Python for Scientific Computing versions 4.2.3 or 3.2.3 and higher including the following:
| Package | Remediation | CVE | Severity |
|---|---|---|---|
| OpenSSL | Upgraded to v3.4.1 | CVE-2024-12797 | Low |
| onnx1 | Upgraded to v1.17.0 | Multiple | Critical |
| jinja22 | Upgraded to v3.1.6 | Multiple | Medium |
| pytorch3 | Upgraded to v2.6.0 | CVE-2025-32434 | Critical |
1 Upgraded onnx from v1.16.0 to v1.17.0 to remedy CVE-2024-7776, and CVE-2024-5187.
2 Upgraded jinja2 from v3.1.5 to v3.1.6 to remedy CVE-2025-27516, CVE-2024-56201, and CVE-2024-56326. The jinja2 library is not present in version 3.2.x.
3 Upgraded pytorch from v2.2.2 to v2.6.0 to remedy CVE-2025-32434. Note: The pytorch library has been removed in this version for Mac Intel, and the PyTorch library is not included in version 3.2.x.
Solution
Upgrade Python for Scientific Computing (PSC) to version 4.2.3 or 3.2.3 or higher.
For Splunk Machine Learning Toolkit (MLTK), upgrading PSC to version 4.2.3 requires updating MLTK to version 5.6.0 or higher. See https://docs.splunk.com/Documentation/MLApp/latest/User/Upgrade for upgrade help and https://docs.splunk.com/Documentation/MLApp/latest/User/Installandconfigure for more information on the version compatibility.
For Splunk IT Service Intelligence (ITSI), upgrading PSC to version 4.2.3 might cause problems with ITSI Predictive Analytics. After an upgrade of PSC, ITSI Predictive Analytics models might require retraining. See https://docs.splunk.com/Documentation/ITSI/latest/SI/ManageModel for more information.
Product Status
| Product | Base Version | Affected Version | Fix Version |
|---|---|---|---|
| Python for Scientific Computing (for Linux 64-bit) | 4.2 | 4.2.2 | 4.2.3 |
| Python for Scientific Computing (for Mac Apple Silicon) | 4.2 | 4.2.2 | 4.2.3 |
| Python for Scientific Computing (for Mac Intel) | 4.2 | 4.2.2 | 4.2.3 |
| Python for Scientific Computing (for Windows 64-bit) | 4.2 | 4.2.2 | 4.2.3 |
| Python for Scientific Computing (for Linux 64-bit) | 3.2 | 3.2.2 | 3.2.3 |
| Python for Scientific Computing (for Mac Apple Silicon) | 3.2 | 3.2.2 | 3.2.3 |
| Python for Scientific Computing (for Mac Intel) | 3.2 | 3.2.2 | 3.2.3 |
| Python for Scientific Computing (for Windows 64-bit) | 3.2 | 3.2.2 | 3.2.3 |
Severity
For the CVEs in this list, Splunk adopted the vendor’s severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available.