CVE-2025-5459
Last modified
CVE-2025-5459 is a high-severity vulnerability rated 8.6/10 on the CVSS scale. A user with specific node group editing permissions and a specially crafted class parameter could be used to execute commands as root on the primary host. It affects Puppet Enterprise versions 2018.1.8 through 2023.8.3 and 2025.3 and has been resolved in versions 2023.8.4 and 2025.4.0.. EPSS estimates a 0.43% chance of exploitation in the next 30 days.
Description
A user with specific node group editing permissions and a specially crafted class parameter could be used to execute commands as root on the primary host. It affects Puppet Enterprise versions 2018.1.8 through 2023.8.3 and 2025.3 and has been resolved in versions 2023.8.4 and 2025.4.0.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Puppet | Puppet Enterprise | >= 2018.1.8, < 2023.8.4 |
| Puppet | Puppet Enterprise | 2025.3.0 |
References
- https://portal.perforce.com/s/detail/a91PA000001SiDdYAKThird Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-5459?
How severe is CVE-2025-5459?
How do I fix CVE-2025-5459?
Are you affected by CVE-2025-5459?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST