Insufficiently Protected API Key in Puppet Enterprise by Puppet
CVE-2025-10360

6.9MEDIUM

Key Information:

Vendor: Perforce
Status: Puppet Enterprise
Vendor: CVE Published:; 24 September 2025

What is CVE-2025-10360?

In Puppet Enterprise versions 2025.4.0 and 2025.5, a vulnerability was identified where the encryption key for securing content in the Infra Assistant database remained present in Puppet backup files. This key is critical for encrypting specific sensitive data, such as the API key for the associated AI provider account, and is only available under Puppet Enterprise Advanced license with Infra Assistant enabled. Affected users are encouraged to upgrade to version 2025.6, which includes fixes and details for remediating the issue for those unable to update.

Affected Version(s)

Puppet Enterprise 2025.4 <= 2025.5

References

https://portal.perforce.com/s/cve/a91PA000001Smp7YAC/insu...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 24, 2025
Vulnerability Reserved
Sep 12, 2025

JSON

Perforce

What is CVE-2025-10360?

Affected Version(s)

References

CVSS V4

Timeline