Third-Party Package Updates in Splunk Machine Learning Toolkit - June 2025
Advisory ID: SVD-2025-0606
CVE ID: Multiple
Published: 2025-06-12
Last Update: 2025-06-12
Description
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Machine Learning Toolkit (MLTK) version 5.6.0 including the following:
| Package | Remediation | CVE | Severity |
|---|---|---|---|
| cross-spawn | Upgraded to v7.0.5 | CVE-2024-21538 | High |
| serialize-javascript | Upgraded to v6.0.2 | CVE-2024-11831 | Medium |
| dompurify | Upgraded to v3.2.4 | CVE-2025-26791 | Medium |
| nanoid | Upgraded to v3.3.8 | CVE-2024-55565 | Medium |
| elliptic | Upgraded to v6.6.0 | CVE-2024-48948 | Medium |
| @babel/runtime | Upgraded to v7.26.10 | CVE-2025-27789 | Medium |
Solution
Upgrade Splunk Machine Learning Toolkit (MLTK) to version 5.6.0 or higher.
For Splunk Machine Learning Toolkit (MLTK), upgrading Python for Scientific Computing (PSC) to version 4.2.3 requires updating MLTK to version 5.6.0 or higher. See https://docs.splunk.com/Documentation/MLApp/latest/User/Upgrade for upgrade help and https://docs.splunk.com/Documentation/MLApp/latest/User/Installandconfigure for more information on the version compatibility.
Product Status
| Product | Base Version | Affected Version | Fix Version |
|---|---|---|---|
| Splunk Machine Learning Toolkit (MLTK) | 5.6 | Below 5.6.0 | 5.6.0 |
Severity
For the CVEs in this list, Splunk adopted the vendor’s severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available.