Puppet known issues
Before you install Puppet Core, review the list of known issues. These are the known issues for installation and upgrade in this release.
On this page:
The resolv gem version included in recent versions of Puppet agent is vulnerable to CVE-2025-24294
Recent versions of Puppet agent include a version of the resolv gem (version 0.2.2) which is vulnerable to CVE-2025-24294. This vulnerability can cause a Denial of Service (DoS) consuming large amounts of CPU resources. To help prevent the issue, update the gem to a version not affected by the CVE. Complete the following steps on each agent node.
-
Check if the affected version of resolv (0.2.2) is installed. Run:
/opt/puppetlabs/puppet/bin/gem list resolv.
Example output from an affected node:
*** LOCAL GEMS ***
resolv (default: 0.2.2)
resolv-replace (default: 0.1.1) -
If the affected version is installed, update the resolv gem. Run:
/opt/puppetlabs/puppet/bin/gem update resolv
When the update is successful, the output is similar to the following:
Updating installed gems
Updating resolv
Fetching resolv-0.6.2.gem
Building native extensions. This could take a while...
Successfully installed resolv-0.6.2
Parsing documentation for resolv-0.6.2
Installing ri documentation for resolv-0.6.2
Done installing documentation for resolv after 0 seconds
Parsing documentation for resolv-0.6.2
Done installing documentation for resolv after 0 seconds
Gems updated: resolv -
Ensure that an updated version of resolv is installed. Run:
/opt/puppetlabs/puppet/bin/gem list resolv
If the update was successful, the output shows an updated version of the resolv gem. For example:
*** LOCAL GEMS ***
resolv (0.6.2, default: 0.2.2)
resolv-replace (default: 0.1.1) -
Uninstall the affected version of the resolv gem. Run:
/opt/puppetlabs/puppet/bin/gem cleanup resolv
PA-7637
Package collection on macOS triggers attempt to install developer tools for Python
When running Puppet 7.8.0 on macOS, Puppet might attempt to collect Python packages, which are no longer used in macOS. An error message states that PIP packages cannot be collected, with a prompt to install associated command-line developer tools. This behavior is triggered by a stub executable present in macOS. PUP-11508
User and group management on macOS 11 and later requires Full Disk Access (FDA)
To manage users and groups with Puppet on macOS 11 and later, you must grant Puppet Full Disk Access (FDA). You must also grant FDA to the parent process that triggers your Puppet run. For example:
To run Puppet in a server-agent infrastructure, you must grant FDA to the
pxp-agent.To run Puppet from a remote machine with SSH commands, you must grant FDA to
sshd.To run Puppet commands from the terminal, you must grant FDA to
terminal.app.
Hiera knockout_prefix is ineffective in hierarchies more than three levels deep
When specifying a deep merge behaviour in Hiera, the knockout_prefix
identifier is effective only against values in an adjacent array, and not in
hierarchies more than three levels deep. HI-223
Specify the epoch when using version ranges with the yum package provider
When using version ranges with the yum package
provider, there is a limitation which requires you to specify the epoch as part of
the version in the range, otherwise it uses the implicit epoch `0`. For more
information, see the RPM packaging guide. PUP-10298
Deferred functions can only use built-in Puppet types
Deferred functions can only use types that are built into Puppet (for example String). They cannot use types from modules like stdlib because Puppet
does not plugin-sync these types to the agent. PUP-8600
The Puppet agent installer fails when systemd is not present on Debian 10 and later
Thepuppet-agent package does not include sysv init scripts for
Debian10 (buster) and newer. If you have disabled or
removed systemd, puppet-agent installation and Puppet agent runs can fail.