Remote Code Execution Vulnerability in Puppet Enterprise by Puppet
CVE-2025-5459

8.6HIGH

Key Information:

Vendor: Perforce
Status: Puppet Enterprise
Vendor: CVE Published:; 26 June 2025

What is CVE-2025-5459?

A vulnerability exists in Puppet Enterprise allowing a user with specific node group editing permissions to execute commands as root on the primary host by utilizing a specially crafted class parameter. The affected versions range from 2018.1.8 to 2023.8.3, including version 2025.3, with resolutions provided in versions 2023.8.4 and 2025.4.0.

Affected Version(s)

Puppet Enterprise 2018.1.8 <= 2023.8.3, 2025.3

References

https://portal.perforce.com/s/detail/a91PA000001SiDdYAK

CVSS V4

Score:

8.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2025
Vulnerability Reserved
Jun 2, 2025

Credit

TIM Security Red Team Research

Marco Ventura

Claudia Bartolini

Andrea Carlo Maria Dattola

Stefano Carbè

Massimiliano Brolli

Perforce

What is CVE-2025-5459?

Affected Version(s)

References

CVSS V4

Timeline

Credit