Third-Party Package Updates in Python for Scientific Computing - June 2025

Advisory ID: SVD-2025-0605

CVE ID:  Multiple

Published: 2025-06-12

Last Update: 2025-06-12

Description

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Python for Scientific Computing versions 4.2.3 or 3.2.3 and higher including the following:

PackageRemediationCVESeverity
OpenSSLUpgraded to v3.4.1CVE-2024-12797Low
onnx1Upgraded to v1.17.0MultipleCritical
jinja22Upgraded to v3.1.6MultipleMedium
pytorch3Upgraded to v2.6.0CVE-2025-32434Critical

1 Upgraded onnx from v1.16.0 to v1.17.0 to remedy CVE-2024-7776, and CVE-2024-5187.

2 Upgraded jinja2 from v3.1.5 to v3.1.6 to remedy CVE-2025-27516, CVE-2024-56201, and CVE-2024-56326. The jinja2 library is not present in version 3.2.x.

3 Upgraded pytorch from v2.2.2 to v2.6.0 to remedy CVE-2025-32434. Note: The pytorch library has been removed in this version for Mac Intel, and the PyTorch library is not included in version 3.2.x.

Solution

Upgrade Python for Scientific Computing (PSC) to version 4.2.3 or 3.2.3 or higher.
For Splunk Machine Learning Toolkit (MLTK), upgrading PSC to version 4.2.3 requires updating MLTK to version 5.6.0 or higher. See https://docs.splunk.com/Documentation/MLApp/latest/User/Upgrade for upgrade help and https://docs.splunk.com/Documentation/MLApp/latest/User/Installandconfigure for more information on the version compatibility.
For Splunk IT Service Intelligence (ITSI), upgrading PSC to version 4.2.3 might cause problems with ITSI Predictive Analytics. After an upgrade of PSC, ITSI Predictive Analytics models might require retraining. See https://docs.splunk.com/Documentation/ITSI/latest/SI/ManageModel for more information.

Product Status

ProductBase VersionAffected VersionFix Version
Python for Scientific Computing (for Linux 64-bit)4.24.2.24.2.3
Python for Scientific Computing (for Mac Apple Silicon)4.24.2.24.2.3
Python for Scientific Computing (for Mac Intel)4.24.2.24.2.3
Python for Scientific Computing (for Windows 64-bit)4.24.2.24.2.3
Python for Scientific Computing (for Linux 64-bit)3.23.2.23.2.3
Python for Scientific Computing (for Mac Apple Silicon)3.23.2.23.2.3
Python for Scientific Computing (for Mac Intel)3.23.2.23.2.3
Python for Scientific Computing (for Windows 64-bit)3.23.2.23.2.3

Severity

For the CVEs in this list, Splunk adopted the vendor’s severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available.