Splunk SOAR Addresses Vulnerabilities in Third-Party Packages – Update Now

Splunk SOAR Addresses Vulnerabilities in Third-Party Packages – Update Now

Splunk has published a critical security advisory revealing that its Security Orchestration, Automation and Response (SOAR) platform was shipping vulnerable versions of more than a dozen popular open-source packages—some with publicly available exploits.

Advisory SVD-2025-0712 confirms that Splunk SOAR versions 6.4.0 and 6.4.1 have now been patched and that administrators must upgrade to 6.4.1 or higher without delay.

Splunk stresses that its severity classifications mirror the National Vulnerability Database (NVD) where scores are available.

Because many of the underlying issues enable remote compromise with minimal user interaction, organizations running on-prem or cloud instances below 6.4.1 face elevated risk levels.

SOC teams should prioritize testing and deployment of the latest release, verify that Automation Brokers are also current, and review playbooks for embedded dependencies.

Package Patched Version / Remediation CVE ID(s) Severity
git v2.48.1 CVE-2024-32002 Critical
@babel/runtime v7.26.10 CVE-2025-27789 Medium
django v4.2.20 (Automation Broker) CVE-2024-45230 High
cryptography v44.0.1 CVE-2024-12797 Medium
pyOpenSSL v24.3.0 CVE-2024-12797 Medium
jquery DataTables v1.13.11 CVE-2020-28458, CVE-2021-23445 High
DomPurify v3.2.4 CVE-2024-45801, CVE-2024-47875 High
wkhtml Removed CVE-2022-35583 High
cross-spawn v7.0.6 CVE-2024-21538 High
@babel/traverse v7.26.7 CVE-2024-48949 Critical
setuptools v75.5.0 (6.4.0), v78.1.0 (6.4.1) CVE-2024-6345 High
axios v1.7.9 (6.4.0), v1.8.3 (6.4.1) CVE-2024-39338 High
jinja v3.1.4 CVE-2024-34064 Medium
tornado v6.4.2 CVE-2024-52804 High
avahi-daemon ‘enable-wide-area’ set to no CVE-2024-52616 Medium
werkzeug v3.0.6 CVE-2024-49767 High

Git’s CVE-2024-32002 is actively exploited, allowing arbitrary code execution during recursive clone operations.

Attackers weaponize malicious submodules to deposit hooks in the .git/ directory, which execute automatically.

Because SOAR playbooks often use Git to pull content, an unpatched engine could run malicious scripts without analyst visibility.

The @babel/traverse bug, CVE-2024-48949, stems from prototype pollution in Abstract Syntax Tree traversal.

A poisoned AST node can lead to arbitrary code execution in build pipelines or runtime JavaScript evaluation. Splunk’s move to 7.26.7 blocks this vector.

Splunk’s advisory echoes the software-supply-chain reality: security platforms themselves depend on hundreds of upstream projects.

Integrating Software Bill of Materials (SBOM) checks into CI/CD pipelines, subscribing to vendor advisories, and leveraging automated patch-management tools can cut mean-time-to-remediate dramatically.

Stay Updated on Daily Cybersecurity News . Follow us on Google News, LinkedIn, and X.


Source link