Puppet known issues

Before you install Puppet Core, review the list of known issues. These are the known issues for installation and upgrade in this release.

Poor performance when managing services on macOS 26 x86_64

Puppet Core is slow to respond when managing services on macOS 26 x86_64. For example, running puppet resource service can take more than 10 seconds to return results. This issue does not affect macOS 26 ARM. PA-8502

The resolv gem version included in recent versions of Puppet agent is vulnerable to CVE-2025-24294

Affects versions: Puppet Core 8.14.0

Resolved: Puppet Core 8.15.0 (patched), 8.17.0 (resolv gem 0.2.2 completely removed from Puppet agent)

Recent versions of Puppet agent include a version of the resolv gem (version 0.2.2) which is vulnerable to CVE-2025-24294. This vulnerability can cause a Denial of Service (DoS) consuming large amounts of CPU resources. To help prevent the issue, update the gem to a version not affected by the CVE. Complete the following steps on each agent node.

  1. Check if the affected version of resolv (0.2.2) is installed. Run:

    Copy 
    /opt/puppetlabs/puppet/bin/gem list resolv.

    Example output from an affected node:

    Copy 
    *** LOCAL GEMS ***
    resolv (default: 0.2.2)
    resolv-replace (default: 0.1.1)

  2. If the affected version is installed, update the resolv gem. Run:

    Copy 
    /opt/puppetlabs/puppet/bin/gem update resolv

    When the update is successful, the output is similar to the following:

    Copy 
    Updating installed gems
    Updating resolv
    Fetching resolv-0.6.2.gem
    Building native extensions. 
    This could take a while...
    Successfully installed resolv-0.6.2
    Parsing documentation for resolv-0.6.2
    Installing ri documentation for resolv-0.6.2
    Done installing documentation for resolv after 0 seconds
    Parsing documentation for resolv-0.6.2
    Done installing documentation for resolv after 0 seconds
    Gems updated: resolv

  3. Ensure that an updated version of resolv is installed. Run:

    Copy 
    /opt/puppetlabs/puppet/bin/gem list resolv

    If the update was successful, the output shows an updated version of the resolv gem. For example:

    Copy 
    *** LOCAL GEMS *** 
    resolv (0.6.2, default: 0.2.2) 
    resolv-replace (default: 0.1.1)

  4. Uninstall the affected version of the resolv gem. Run:

    Copy 
    /opt/puppetlabs/puppet/bin/gem cleanup resolv

PA-7637

Package collection on macOS triggers attempt to install developer tools for Python

When running Puppet 7.8.0 on macOS, Puppet might attempt to collect Python packages, which are no longer used in macOS. An error message states that PIP packages cannot be collected, with a prompt to install associated command-line developer tools. This behavior is triggered by a stub executable present in macOS. PUP-11508

User and group management on macOS 11 and later requires Full Disk Access (FDA)

To manage users and groups with Puppet on macOS 11 and later, you must grant Puppet Full Disk Access (FDA). You must also grant FDA to the parent process that triggers your Puppet run. For example:

  • To run Puppet in a server-agent infrastructure, you must grant FDA to the pxp-agent.

  • To run Puppet from a remote machine with SSH commands, you must grant FDA to sshd.

  • To run Puppet commands from the terminal, you must grant FDA to terminal.app.

To give Puppet access, go to System Preferences > Security & Privacy > Privacy > Full Disk Access, and add the path to the Puppet executable, along with any other parent processes you use to run. For detailed steps, see Add full disk access for Puppet on macOS 10.14 and newer. Alternatively, set up automatic access using Privacy Preferences Control Profiles and a Mobile Device Management Server. PA-2226, PA-2227

Hiera knockout_prefix is ineffective in hierarchies more than three levels deep

When specifying a deep merge behavior in Hiera, the knockout_prefix identifier is effective only against values in an adjacent array, and not in hierarchies more than three levels deep. HI-223

Specify the epoch when using version ranges with the yum package provider

When using version ranges with the yum package provider, there is a limitation which requires you to specify the epoch as part of the version in the range, otherwise it uses the implicit epoch `0`. For more information, see the RPM packaging guide. PUP-10298

Deferred functions can only use built-in Puppet types

Deferred functions can only use types that are built into Puppet (for example String). They cannot use types from modules like stdlib because Puppet does not plugin-sync these types to the agent. PUP-8600

The Puppet agent installer fails when systemd is not present on Debian 10 and later

The puppet-agent package does not include sysv init scripts for Debian 10 (buster) and newer. If you have disabled or removed systemd, puppet-agent installation and Puppet agent runs can fail.