CVE-2025-5459 — OS Command Injection in Enterprise

CWE-78 — OS Command Injection4 documents4 sources

Severity

8.6HIGHNVD

EPSS

0.1%

top 73.23%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Puppet Enterprise Perforce Puppet Enterprise

Timeline

PublishedJun 26

Description

A user with specific node group editing permissions and a specially crafted class parameter could be used to execute commands as root on the primary host. It affects Puppet Enterprise versions 2018.1.8 through 2023.8.3 and 2025.3 and has been resolved in versions 2023.8.4 and 2025.4.0.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

▶NVDpuppet/puppet_enterprise2018.1.8 — 2023.8.4+1

▶CVEListV5perforce/puppet_enterprise2018.1.8 — 2023.8.3, 2025.3

🔴Vulnerability Details

GHSA

GHSA-2q8m-2xcf-6rrj: A user with specific node group editing permissions and a specially crafted class parameter could be used to execute commands as root on the primary h↗2025-06-26

▶

CVEList

OS Command Injection↗2025-06-26

▶

📋Vendor Advisories

Debian

CVE-2025-5459: puppetserver - A user with specific node group editing permissions and a specially crafted clas...↗2025

▶