CVE-2025-5459 HIGH

CVE-2025-5459: OS Command Injection

Vendor Perforce
Product Puppet Enterprise
Weakness CWE-78
Published June 26, 2025
Last update July 3, 2025

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

A user with specific node group editing permissions and a specially crafted class parameter could be used to execute commands as root on the primary host. It affects Puppet Enterprise versions 2018.1.8 through 2023.8.3 and 2025.3 and has been resolved in versions 2023.8.4 and 2025.4.0.

Key dates

02Disclosure timeline

June 26, 2025 CVE published
July 3, 2025 Record updated