Third-Party Package Updates in Splunk Enterprise - October 2025
Advisory ID: SVD-2025-1007
CVE ID: Multiple
Published: 2025-10-01
Last Update: 2025-10-01
Description
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 10.0.1, 9.4.4, 9.3.6, 9.2.8, and higher.
Package | Remediation | CVE | Severity |
---|---|---|---|
protobuf-java1 | Removed | Multiple | High |
mongod2 | Upgraded to 7.0.14 | Multiple | High |
webpack3 | Removed | Multiple | High |
imports-loader4 | Removed | CVE-2022-37601 | Low |
libxml25 | Patched | CVE-2025-32415 | High |
mongotools | Upgraded to 100.12.1. Remedied in 10.0.0. | CVE-2024-45337 | High |
jackson-core6 | Upgraded jackson-core to v2.15.0 | CVE-2025-52999 | High |
curl7 | Upgraded to v8.14.1 | Multiple | High |
1 Removed protobuf-java from Splunk Enterprise to remedy CVE-2015-5237 and CVE-2024-7254
2 Upgraded KV store server version from 4.2 to 7.0 for Splunk Enterprise 10.0 and 9.4 to remedy CVE-2024-7553 and CVE-2024-1351
3 Removed webpack from the Splunk Monitoring Console to remedy CVE-2022-46175, CVE-2022-37601, and CVE-2021-44906
4 Removed import-loader from the Splunk Monitoring Console to remedy CVE-2022-37601
5 Applied the patch for CVE-2025-32415 to xmlschemas.c in libxml2 version 2.9.14. Remedied in 10.0.0.
6 Remedied in 10.0.0.
7 Upgraded Curl to v8.14.1 to remedy CVE-2025-0167, CVE-2025-0725, CVE-2025-5025, CVE-2025-4947. Remedied in 10.0.0.
Solution
Upgrade Splunk Enterprise to versions 10.0.1, 9.4.4, 9.3.6, 9.2.8, or higher.
Splunk is actively monitoring and patching Splunk Cloud Platform instances.
Product Status
Product | Base Version | Affected Version | Fix Version |
---|---|---|---|
Splunk Enterprise | 10.0 | 10.0.0 | 10.0.1 |
Splunk Enterprise | 9.4 | 9.4.0 to 9.4.3 | 9.4.4 |
Splunk Enterprise | 9.3 | 9.3.0 to 9.3.5 | 9.3.6 |
Splunk Enterprise | 9.2 | 9.2.0 to 9.2.7 | 9.2.8 |
Severity
For the CVEs in this list, Splunk adopted the vendor’s severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available.