Splunk has published a critical security advisory revealing that its Security Orchestration, Automation and Response (SOAR) platform was shipping vulnerable versions of more than a dozen popular open-source packages—some with publicly available exploits.
Advisory SVD-2025-0712 confirms that Splunk SOAR versions 6.4.0 and 6.4.1 have now been patched and that administrators must upgrade to 6.4.1 or higher without delay.
Splunk stresses that its severity classifications mirror the National Vulnerability Database (NVD) where scores are available.
Because many of the underlying issues enable remote compromise with minimal user interaction, organizations running on-prem or cloud instances below 6.4.1 face elevated risk levels.
SOC teams should prioritize testing and deployment of the latest release, verify that Automation Brokers are also current, and review playbooks for embedded dependencies.
| Package | Patched Version / Remediation | CVE ID(s) | Severity |
| git | v2.48.1 | CVE-2024-32002 | Critical |
| @babel/runtime | v7.26.10 | CVE-2025-27789 | Medium |
| django | v4.2.20 (Automation Broker) | CVE-2024-45230 | High |
| cryptography | v44.0.1 | CVE-2024-12797 | Medium |
| pyOpenSSL | v24.3.0 | CVE-2024-12797 | Medium |
| jquery DataTables | v1.13.11 | CVE-2020-28458, CVE-2021-23445 | High |
| DomPurify | v3.2.4 | CVE-2024-45801, CVE-2024-47875 | High |
| wkhtml | Removed | CVE-2022-35583 | High |
| cross-spawn | v7.0.6 | CVE-2024-21538 | High |
| @babel/traverse | v7.26.7 | CVE-2024-48949 | Critical |
| setuptools | v75.5.0 (6.4.0), v78.1.0 (6.4.1) | CVE-2024-6345 | High |
| axios | v1.7.9 (6.4.0), v1.8.3 (6.4.1) | CVE-2024-39338 | High |
| jinja | v3.1.4 | CVE-2024-34064 | Medium |
| tornado | v6.4.2 | CVE-2024-52804 | High |
| avahi-daemon | ‘enable-wide-area’ set to no | CVE-2024-52616 | Medium |
| werkzeug | v3.0.6 | CVE-2024-49767 | High |
Git’s CVE-2024-32002 is actively exploited, allowing arbitrary code execution during recursive clone operations.
Attackers weaponize malicious submodules to deposit hooks in the .git/ directory, which execute automatically.
Because SOAR playbooks often use Git to pull content, an unpatched engine could run malicious scripts without analyst visibility.
The @babel/traverse bug, CVE-2024-48949, stems from prototype pollution in Abstract Syntax Tree traversal.
A poisoned AST node can lead to arbitrary code execution in build pipelines or runtime JavaScript evaluation. Splunk’s move to 7.26.7 blocks this vector.
Splunk’s advisory echoes the software-supply-chain reality: security platforms themselves depend on hundreds of upstream projects.
Integrating Software Bill of Materials (SBOM) checks into CI/CD pipelines, subscribing to vendor advisories, and leveraging automated patch-management tools can cut mean-time-to-remediate dramatically.
Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.
