Insufficiently Protected Credentials in Puppet Enterprise 2025.4 and 2025.5
CVE-2025-10360

6.9MEDIUM

Key Information:

Vendor: Perforce
Status: Puppet Enterprise
Vendor: CVE Published:; 24 September 2025

What is CVE-2025-10360?

In Puppet Enterprise versions 2025.4.0 and 2025.5, the encryption key used for encrypting content in the Infra Assistant database was not excluded from the files gathered by Puppet backup. The key is only present on the system if the user has a Puppet Enterprise Advanced license and has enabled the Infra Assistant feature. The key is used for encrypting one particular bit of data in the Infra Assistant database: the API key for their AI provider account. This has been fixed in Puppet Enterprise version 2025.6, and release notes for 2025.6 have remediation steps for users of affected versions who can't update to the latest version.

Affected Version(s)

Puppet Enterprise 2025.4 <= 2025.5

References

https://portal.perforce.com/s/cve/a91PA000001Smp7YAC/insu...

CVSS V4

Score:

6.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 24, 2025
Vulnerability Reserved
Sep 12, 2025

JSON

Perforce

What is CVE-2025-10360?

Affected Version(s)

References

CVSS V4

Timeline