Volerion logoVolerion
Volerion logoVolerion

Puppet Enterprise Insufficiently Protected Encryption Key Vulnerability in Versions 2025.4.0 and 2025.5

Vulnerability

A vulnerability exists in Puppet Enterprise versions 2025.4.0 and 2025.5, where the encryption key for content in the Infra Assistant database was inadvertently included in backup files. This issue affects users with a Puppet Enterprise Advanced license who have activated the Infra Assistant feature. The encryption key is used to secure the API key for the AI provider account within the Infra Assistant database. The vulnerability has been addressed in Puppet Enterprise version 2025.6, which also provides remediation steps for users unable to upgrade to this version.

Impact

Exposing the encryption key in backup files could lead to unauthorized access to the API key for the AI provider account, potentially allowing misuse of the associated AI services.

Remediation

Users can update to Puppet Enterprise version 2025.6, which resolves the vulnerability. For those unable to upgrade, the release notes for version 2025.6 include specific remediation steps.

Added: Sep 24, 2025, 6:37 PM
Updated: Sep 24, 2025, 6:37 PM

Vulnerability Rating

Custom Algorithm
spread
3.1
impact
2.5
exploitability
4.8
remediation
7.7
relevance
0.5
threat
0.0
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.