Third-Party Package Updates in Splunk Enterprise - November 2025
Advisory ID: SVD-2025-1103
CVE ID: Multiple
Published: 2025-11-12
Last Update: 2025-12-05
Description
Splunk remedied common vulnerabilities and exposures (CVEs) in Third Party Packages in Splunk Enterprise versions 10.0.1, 9.4.5, 9.3.7, 9.2.9, and higher.
| Package | Remediation | CVE | Severity |
|---|---|---|---|
| jackson-core1 | Upgraded | CVE-2025-52999 | High |
| libcurl2 | Upgraded to 8.14.1 | Multiple | High |
1 Upgraded jackson-core to 2.15.0 to remedy CVE-2025-52999
2 Upgraded libcurl from version 8.11.1 to 8.14.1 to remedy CVE-2025-0167, CVE-2025-0725, CVE-2025-5025, and CVE-2025-4947. Fixed in 9.3.8, already fixed in 10.0.1, 9.4.5, and 9.2.9
Solution
Upgrade Splunk Enterprise to versions 10.0.1, 9.4.5, 9.3.7, 9.2.9, or higher.
Product Status
| Product | Base Version | Affected Version | Fix Version |
|---|---|---|---|
| Splunk Enterprise | 10.0 | 10.0.0 | 10.0.1 |
| Splunk Enterprise | 9.4 | 9.4.0 to 9.4.4 | 9.4.5 |
| Splunk Enterprise | 9.3 | 9.3.0 to 9.3.6 | 9.3.7 |
| Splunk Enterprise | 9.2 | 9.2.0 to 9.2.8 | 9.2.9 |
Severity
For the CVEs in this list, Splunk adopted the vendor’s severity rating or the National Vulnerability Database (NVD) common vulnerability scoring system (CVSS) rating, as available.
Changelog
- 2025-12-05: Added the libcurl package to the advisory.