How to fix EUVD-2025-19173?

Within 7 days: Identify all affected systems and apply vendor patches promptly. Validate that input sanitization is in place for all user-controlled parameters.

Is Command Injection affected by EUVD-2025-19173?

CVE-2025-5459 presents significant security risk, a OS command injection vulnerability rated CVSS 8.8. Successful exploitation could allow attackers to execute arbitrary code or commands on affected systems, potentially leading to full system compromise.

EUVD-2025-19173

| CVE-2025-5459 HIGH

2025-06-26 [email protected]

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch Released

Mar 31, 2026 - 21:13 nvd

Patch available

Analysis Generated

Mar 15, 2026 - 23:54 vuln.today

EUVD ID Assigned

Mar 15, 2026 - 23:54 euvd

EUVD-2025-19173

CVE Published

Jun 26, 2025 - 07:15 nvd

HIGH 8.8

Description

A user with specific node group editing permissions and a specially crafted class parameter could be used to execute commands as root on the primary host. It affects Puppet Enterprise versions 2018.1.8 through 2023.8.3 and 2025.3 and has been resolved in versions 2023.8.4 and 2025.4.0.

Analysis

Technical Context

Command injection allows an attacker to execute arbitrary OS commands on the host system through a vulnerable application that passes user input to system shells. This vulnerability is classified as OS Command Injection (CWE-78).

Affected Products

Affected products: Puppet Puppet Enterprise

Remediation

Avoid passing user input to system commands. Use language-specific APIs instead of shell commands. If unavoidable, use strict input validation and escaping.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +44

POC: 0

Vendor Status

Debian

puppetserver

Release	Status	Fixed Version	Urgency
bookworm	fixed	7.9.5-2+deb12u1	-
trixie	fixed	8.7.0-5	-
forky, sid	fixed	8.7.0-6	-
(unstable)	not-affected	-	-

EUVD-2025-19173 vulnerability details – vuln.today

Back

EUVD-2025-19173

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Debian

Share

EUVD-2025-19173

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Vendor Status

Debian

Share

External POC / Exploit Code