Third-Party Package Updates in Splunk Machine Learning Toolkit - June 2025

Advisory ID: SVD-2025-0606

CVE ID:  Multiple

Published: 2025-06-12

Last Update: 2025-06-12

Description

Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Machine Learning Toolkit (MLTK) version 5.6.0 including the following:

PackageRemediationCVESeverity
cross-spawn1Upgraded to v7.0.5CVE-2024-21538High
serialize-javascript2Upgraded to v6.0.2CVE-2024-11831Medium
dompurify3Upgraded to v3.2.4CVE-2025-26791Medium
nanoid4Upgraded to v3.3.8CVE-2024-55565Medium
elliptic5Upgraded to v6.6.0CVE-2024-48948Medium
@babel/runtime6Upgraded to v7.26.10CVE-2025-27789Medium

1 Upgraded cross-spawn from v7.0.3 to v7.0.5 to remedy CVE-2024-21538.

2 Upgraded serialize-javascript from v6.0.0 to v6.0.2 to remedy CVE-2024-11831.

3 Upgraded dompurify from v2.5.4 to v3.2.4 to remedy CVE-2025-26791.

4 Upgraded nanoid from v3.3.7 to v3.3.8 to remedy CVE-2024-55565.

5 Upgraded elliptic from v6.5.7 to v6.6.0 to remedy CVE-2024-48948.

6 Upgraded babel/runtime from v7.25.0 to v7.26.10 to remedy CVE-2025-27789.

Solution

Upgrade Splunk Machine Learning Toolkit (MLTK) to version 5.6.0 or higher.
For Splunk Machine Learning Toolkit (MLTK), upgrading Python for Scientific Computing (PSC) to version 4.2.3 requires updating MLTK to version 5.6.0 or higher. See https://docs.splunk.com/Documentation/MLApp/latest/User/Upgrade for upgrade help and https://docs.splunk.com/Documentation/MLApp/latest/User/Installandconfigure for more information on the version compatibility.

Product Status

ProductBase VersionAffected VersionFix Version
Splunk Machine Learning Toolkit (MLTK)5.6Below 5.6.05.6.0

Severity

For the CVEs in this list, Splunk adopted the vendor’s severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available.