CVE-2025-5459

216.73.217.22

· Published 26/06/2025 07:15 · Modified 26/06/2025 18:57

Labels: CVE-2025-5459 2025-06-26 CVE-2025-5459 CWE-78 [email protected]

Essential information

Published: 26/06/2025 07:15
Modified: 26/06/2025 18:57
Author: —
Creator: —
CVSS: 8.6 HIGH (v3) 8.6 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

A user with specific node group editing permissions and a specially crafted class parameter could be used to execute commands as root on the primary host. It affects Puppet Enterprise versions 2018.1.8 through 2023.8.3 and 2025.3 and has been resolved in versions 2023.8.4 and 2025.4.0.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
puppet / puppet enterprise	`cpe:2.3:a:puppet:puppet_enterprise:2018.1.8-2023.8.3:::::::*`
puppet / puppet enterprise	`cpe:2.3:a:puppet:puppet_enterprise:2025.3:::::::*`
puppet / puppet enterprise	`cpe:2.3:a:puppet:puppet_enterprise:2023.8.4:::::::*`
puppet / puppet enterprise	`cpe:2.3:a:puppet:puppet_enterprise:2025.4.0:::::::*`