SB2026031315 - Splunk Enterprise Security update for third-party components
Published: March 13, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 38 secuirty vulnerabilities.
1) Resource management error (CVE-ID: CVE-2025-69230)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to improper management of internal resources within the application when reading invalid cookie attributes. A remote attacker can send specially crafted requests to the application and produce a huge amount of log entries, leading to a denial of service condition.
2) Input validation error (CVE-ID: CVE-2025-47913)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input when handling SSH_AGENT_SUCCESS responses in ssh agent. A malicious server can send a specially crafted response to the ssh client and crash it.
3) Out-of-bounds read (CVE-ID: CVE-2025-47914)
The vulnerability allows a remote attacker to perform a denial of service attack.
The vulnerability exists due to a boundary condition when processing new identity requests in SSH Agent servers. A remote attacker can send specially crafted GSSAPI authentication requests to the application, trigger an out-of-bounds read error and perform a denial of service (DoS) attack.
4) Resource exhaustion (CVE-ID: CVE-2025-58181)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources when parsing GSSAPI authentication requests. A remote attacker can send specially crafted GSSAPI authentication requests to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.
5) Input validation error (CVE-ID: CVE-2025-22870)
The vulnerability allows a remote attacker to alter application's behavior.
The vulnerability exists due to insufficient validation of an IPv6 zone ID as a hostname component, when matching hosts against proxy patterns. For instance the NO_PROXY environment variable is set to "*.example.com", a request to
"[::1%25.example.com]:80` will incorrectly match and not be proxied. A remote attacker can alter application behavior and potentially gain access to sensitive information or functionality.
6) Input validation error (CVE-ID: CVE-2025-22872)
The vulnerability allows a remote attacker to perform code injection attacks.
The vulnerability exists due to insufficient validation of tags with unquoted attribute values that end with a solidus character (/). The tokenizer can interpret such tags as self-closing, leading to content following such tags as being placed in the wrong scope during DOM construction.
7) Insufficient technical documentation (CVE-ID: CVE-2024-51744)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due due to unclear documentation of the error behavior in "ParseWithClaims". A remote attacker can trick the victim into accepting invalid tokens, which can lead to information disclosure.
8) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2025-69224)
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of non-ASCII characters within HTTP requests. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks but requires that a pure Python version of aiohttp is installed (i.e. without the usual C extensions) or AIOHTTP_NO_EXTENSIONS is enabled.
9) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2025-69225)
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to the application allows non-ASCII decimals to be present in the Range header. A remote attacker can send a specially crafted HTTP request to the server and potentially smuggle arbitrary HTTP headers.
10) Improper handling of highly compressed data (CVE-ID: CVE-2025-69223)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the application does not properly handle highly compressed data within the auto_decompress feature. A remote attacker can send a specially crafted compressed HTTP request to the server and consume all available memory resources.
11) Resource exhaustion (CVE-ID: CVE-2025-61724)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in net/textproto due to the Reader.ReadResponse function constructs a response string through repeated string concatenation of lines. A remote attacker can trigger excessive CPU consumption and perform a denial of service (DoS) attack.
12) Resource exhaustion (CVE-ID: CVE-2025-69228)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the Request.post() method. A remote attacker can send large HTTP payloads to the application to trigger resource exhaustion and perform a denial of service (DoS) attack.
13) Infinite loop (CVE-ID: CVE-2025-69227)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop within the Request.post() method when optimisations are enabled (-O or PYTHONOPTIMIZE=1). A remote attacker send multiple HTTP POST requests to the server and perform a denial of service attack.
14) Resource exhaustion (CVE-ID: CVE-2025-69229)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the request.read() method. A remote attacker can trigger CPU exhaustion and perform a denial of service (DoS) attack.
15) Information disclosure (CVE-ID: CVE-2025-69226)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the web.static() function allows detection of existing path components. A remote non-authenticated attacker can brute-force file names on the system.
16) Deserialization of Untrusted Data (CVE-ID: CVE-2026-21226)
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to insecure input validation when processing serialized data in Azure Core shared client library for Python. A remote user can pass specially crafted data to the application and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
17) Resource exhaustion (CVE-ID: CVE-2025-61725)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the ParseAddress function in net/mail does not properly control consumption of internal resources. A remote attacker can compose a specially crafted email message that triggers excessive CPU consumption leading to denial of service.
18) Resource exhaustion (CVE-ID: CVE-2025-61723)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in encoding/pem due to application does not properly control consumption of internal resources when parsing untrusted PEM input. A remote attacker can trigger CPU exhaustion and perform a denial of service (DoS) attack.
19) Resource exhaustion (CVE-ID: CVE-2025-22868)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to the jws package does not properly control consumption of internal resources when handling malformed tokens. A remote attacker can pass a malformed JWT token to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.
20) Protection Mechanism Failure (CVE-ID: CVE-2025-22874)
The vulnerability allows a remote attacker to bypass implemented security restrictions.
The vulnerability exists due to an error in crypto/x509 when using ExtKeyUsageAny. When calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny it disables policy validation.
This only affected certificate chains which contain policy graphs, which are rather uncommon.
21) Insufficiently protected credentials (CVE-ID: CVE-2024-47081)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to the library leaks .netrc credentials to third parties for specific maliciously-crafted URLs. A remote attacker can gain access to sensitive information.
22) Input validation error (CVE-ID: CVE-2024-7246)
The vulnerability allows a remote attacker to perform spoofing attack.
The vulnerability exists due to insufficient validation of HTTP/2 headers. A remote attacker can send a series of HTTP/2 requests to the application and gain access to sensitive information or perform spoofing attack.
23) Cryptographic issues (CVE-ID: CVE-2025-8556)
The vulnerability allows a remote attacker to compromise session security.
The vulnerability exists due to an error in FourQ elliptic curve implementation and incorrect point validation during Diffie-Hellman key exchange. A remote attacker can compromise session security via low-order point injection and gain access to sensitive information.
24) Resource exhaustion (CVE-ID: CVE-2025-30153)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources. A remote attacker can upload a crafted ZIP file (e.g., a ZIP bomb), causing the server to consume all available system memory, when application validating a request with a multipart/form-data schema, if the OpenAPI schema allows it.
25) Resource exhaustion (CVE-ID: CVE-2025-30204)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within the parse.ParseUnverified function when parsing authorization header. A remote attacker can send a specially crafted HTTP response to the application, trigger resource exhaustion and perform a denial of service (DoS) attack.
26) Uncontrolled Recursion (CVE-ID: CVE-2025-4565)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
the vulnerability exists due to uncontrolled recursion when parsing untrusted data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags. A remote attacker send specially crafted input to the application and can perform a denial of service attack.
27) Link following (CVE-ID: CVE-2025-0913)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to an insecure link following issue within the os.OpenFile(path, os.O_CREATE|O_EXCL) method when handling dangling symlinks on Windows systems. A local user can create a specially crafted symbolic link and write arbitrary files to the system.
28) Inconsistent interpretation of HTTP requests (CVE-ID: CVE-2025-22871)
The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.
The vulnerability exists due to improper validation of HTTP requests when handling chunked data in net/http. A remote attacker can send a specially crafted HTTP request to the server and smuggle arbitrary HTTP headers.
Successful exploitation of vulnerability may allow an attacker to poison HTTP cache and perform phishing attacks.
29) Information disclosure (CVE-ID: CVE-2025-4673)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to sensitive Proxy-Authorization and Proxy-Authenticate headers are not cleared on cross-origin redirect in net/http. A remote attacker can gain access to credentials passed via these headers.
30) Improper Encoding or Escaping of Output (CVE-ID: CVE-2025-58189)
The vulnerability allows a remote attacker to perform spoofing attacks.
The vulnerability exists due to missing sanitization of input data when the Conn.Handshake fails during ALPN negotiation in crypto/tls. A remote attacker can pass specially crafted input via an error message and influence the application behavior, leading to a potential spoofing attack.
31) Input validation error (CVE-ID: CVE-2025-47906)
The vulnerability allows a local user to escalate privileges on the system.
The vulnerability exists due to insufficient validation of the PATH environment variable in LookPath. A local user can pass specially crafted strings to the application and execute arbitrary OS commands with elevated privileges.
32) Race condition (CVE-ID: CVE-2025-47907)
The vulnerability allows an attacker to tamper with the application.
The vulnerability exists due to a race condition when canceling a DB query. A local user can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system. A remote user can overwrite the expected results with those of another query, causing the call to Scan to return either unexpected results from the other query or an error.
33) Input validation error (CVE-ID: CVE-2025-47912)
The vulnerability allows a remote attacker to bypass certain security restrictions.
The vulnerability exists in net/url due to the Parse function permits values other than IPv6 addresses to be included in square brackets within the host component of a URL. A remote attacker can abuse such behavior to perform spoofing attacks.
34) Resource exhaustion (CVE-ID: CVE-2025-58183)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in archive/tar due to the tar.Reader does not set a maximum size on the number of sparse region data blocks in GNU tar pax 1.0 sparse files. A remote attacker can pass a specially crafted archive to the application and perform a denial of service (DoS) attack.
35) Resource exhaustion (CVE-ID: CVE-2025-58185)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in encoding/asn1 due to application does not properly control consumption of internal resources when parsing DER payloads. A remote attacker can trigger memory exhaustion and perform a denial of service (DoS) attack.
36) Allocation of Resources Without Limits or Throttling (CVE-ID: CVE-2025-58186)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in net/http due to the application does not limit the number of cookies sent in the request. A remote attacker can send a lot of very small cookies such as "a=;" and cause large memory consumption.
37) Resource exhaustion (CVE-ID: CVE-2025-58187)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to quadratic complexity when checking name constraints in crypto/x509. A remote attacker can pass a specially crafted x509 certificate to the application and trigger resource exhaustion.
38) Input validation error (CVE-ID: CVE-2025-58188)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists in crypto/x509 due to an error when validating certificate chains which contain DSA public keys. A remote attacker can pass a specially crafted certificate to the application and crash it.
Remediation
Install update from vendor's website.