PE 2025.5
Released August 2025
Starting August 6, 2026, Puppet Enterprise® will adopt a new software support model using the following nomenclature of “Latest” and “Latest - 1” that will accelerate product innovation and simplify the product lifecycle management.
What’s changing?
Under the new model:
-
“Latest” series: Receives full software support and maintenance (new features, fixes, security updates) for 12 months from the date of the latest major version release.
-
“Latest - 1” series: Receives limited software support and maintenance (security updates, defect fixes, and minor changes only) for an additional 12 months after being superseded by the “Latest” version of the Puppet Enterprise® software.
The new model will replace the previous Long-Term Support (“LTS”) model, which offered up to twenty-four (24) months of limited software support and maintenance with limited feature delivery.
Impact on current release streams:
-
PE 2023.8.z series (LTS): This is the final series supported under the LTS support model. Maintenance releases will continue until August 2026, when the series reaches end of life (“EOL”). This timing coincides with the launch of the new software and support lifecycle model. Customers should begin planning upgrades to remain supported.
-
PE 2025.y series (Current “latest”): This series will continue receiving the latest updates until August 2026, when the next major PE version is released. At that point, 2025.y will transition to “Latest -1” and receive security updates, defect fixes, and minor changes only until its EOL in August 2027.
This change is designed to:
-
Deliver continuous access to new features
-
Improve security through more frequent updates and patches
-
Provide a predictable, simplified support timeline
Further documentation and upgrade guidance will be provided ahead of the August 2026 transition.
Puppet® Continuous Delivery and Puppet Comply® (also known as Puppet Security Compliance Management (“SCM”)) lifecycle updates:
For important information about the product lifecycle changes for Puppet® Continuous Delivery and Puppet Comply® /SCM, see:
For important information about upgrading to 2025, see Upgrading Puppet Enterprise.
If you're on the LTS stream (2023.8), you'll find release notes and other information for that series in the 2023.8 documentation.
Customers on 2021.7.z, which is EOL, are encouraged to upgrade to 2023.8.z.
To access End-of-Life (EOL) dates and maintenance information, see PE End-of-Life (EOL).
Features
PE console: Filter plans by name
In PE 2025.5 and 2023.8.5, the Plans page in the PE console has been updated to include filtering plans by name.
PE console: Rerun plans
In PE 2025.5 and 2023.8.5, the Plans page in the PE console has been updated to enable users to rerun plans.
Enhancements
File sync configuration: New settings added
The following new settings for configuring file sync across Puppet Enterprise have been added:
-
puppet_enterprise::master::code_management::file_sync_copy_method
The underlying copy implementation to use in versioned deploys. The java option will use Files.copy, while shell-cp will use /bin/cp.
Default: shell-cp
-
puppet_enterprise::master::code_management::file_sync_versioned_sync_pool
The number of threads used to deploy environments in parallel when using versioned directories.
Default: 2
Both settings apply to Puppet Server and Orchestrator on the PE primary and any compilers (for Puppet Server).
Platform support
Agent platforms added
This release adds support for the Puppet agent on the following operating system platforms:
-
Red Hat Enterprise Linux (RHEL) 10 x86_64
Deprecations and removals
The following parameter has been deprecated:
-
puppet_enterprise::profile::plan_executor::versioned_deploys
This parameter is turned on by default however, it is not customizable and you may receive the following warning message during an agent run:
Warning: The puppet_enterprise::profile::plan_executor::versioned_deploys parameter is deprecated and will be removed in a future release; however, it has been set to 'true'. Please remove it from your Classifier classification, hiera data or /etc/puppetlabs/enterprise/conf.d/pe.conf, as appropriate. Warning:/Stage[main]/Puppet_enterprise::Profile::Orchestrator/Puppet_enterprise::Deprecated_parameter[puppet_enterprise::profile::plan_executor::versioned_deploys]/Notify[puppet_enterprise::profile::plan_executor::versioned_deploys is deprecated]/message: defined 'message' as 'The puppet_enterprise::profile::plan_executor::versioned_deploys parameter is deprecated and will be removed in a future release; however, it has been set to \'true\'. Please remove it from your Classifier classification, hiera data or /etc/puppetlabs/enterprise/conf.d/pe.conf, as appropriate.'
Resolved issues
Inability to provision compilers with 2025.4
In PE 2025.4.0, the provision compiler command failed to run the provision_compiler plan from enterprise_tasks. This has been fixed in PE 2025.5.
Patching runs incorrectly reporting that patching did not occur fixed
In previous versions of Puppet Enterprise, patching runs incorrectly reported that patching did not occur under some agent locales. This has been fixed in PE 2023.8.5 and 2025.5.
r10k commits on refs outside of refs/heads/* no longer fail
In PE 2023.8.1-2023.8.4 and PE 2025.1-2025.4, code deployments utilizing commits on refs outside of refs/heads/* failed. In practice, this meant pointing to a commit in an in-progress PR failed (depending on your branching/forking strategy). PE 2023.8.5 and 2025.5 ship with version 5.0.2 of r10k that includes a fix for this issue.
Apache Commons FileUpload updated to version 1.6 to resolve CVE-2025-48976
In PE-2025.5 and 2023.8.5, Apache Commons FileUpload has been updated to version 1.6 to resolve CVE-2025-48976.
Incorrectly migrated MacOSX top-level facts used in node group rules fixed
When upgrading from 2021.7.x to 2023.8.2-2023.8.4 or to 2025.0-2025.4., which involved a Puppet v7 to Puppet v8 major upgrade, many legacy top-level facts used in node group rules were automatically migrated to structured facts. The following MacOSX facts were incorrectly migrated:
-
macosx_buildversion -
macosx_productname -
macosx_productversion -
macosx_productversion_major -
macosx_productversion_minor
This has been fixed in 2023.8.5 and 2025.5.
If any of those MacOSX top-level facts were previously migrated incorrectly in your node groups, the correct mapping for those is as follow:
-
macosx_buildversion[fact,os,macosx,build] -
macosx_productname[fact,os,macosx,product] -
macosx_productversion[fact,os,macosx,version,full] -
macosx_productversion_major[fact,os,macosx,version,major] -
macosx_productversion_minor[fact,os,macosx,version,minor]
PE console redirection after login issue fixed
In PE 2025.0-2025.4 and 2023.1.0-2023.8.4, users who were logged out and attempted to visit a specific PE console page after logging in were not redirected correctly. This has been fixed in 2023.8.5 and 2025.5.
Upgrading agents from version 7.30 to later versions no longer causes agent performance degradation
In PE 2021.7.9-2021.7.10, 2023.8.0-2023.8.4 and 2025.0-2025.4, agents that were upgraded from version 7.30 to later versions had a considerable increase in agent runtime. This issue has been fixed in 2025.5.0 and 2023.8.5.
pe-console-services no longer runs out of memory while generating an internal cache in PE 2023.8.z
pe-console-services no longer runs out of memory while generating an internal cache in PE 2023.8.z. This has been fixed in PE 2023.8.5 and 2025.5.
Security fixes
Addressed the following CVEs:
-
CVE-2025-4947
-
CVE-2025-5025
-
CVE-2025-5399
-
CVE-2025-6021
-
CVE-2025-6170
-
CVE-2025-6442 (This CVE has been resolved as the WEBrick gem is no longer shipped with PE. PE will not be affected by any CVEs WEBrick may have in the future.)
-
CVE-2025-6545
-
CVE-2025-43857
-
CVE-2024-47220 (This CVE has been resolved as the WEBrick gem is no longer shipped with PE. PE will not be affected by any CVEs WEBrick may have in the future.)
-
CVE-2025-48976
-
CVE-2025-49794
-
CVE-2025-49795
-
CVE-2025-49796
