PE 2025.7
On this page:
Released December 2025
Starting August 6, 2026, Puppet Enterprise® will adopt a new software support model using the following nomenclature of “Latest” and “Latest - 1” that will accelerate product innovation and simplify the product lifecycle management.
What’s changing?
Under the new model:
-
“Latest” series: Receives full software support and maintenance (new features, fixes, security updates) for 12 months from the date of the latest major version release.
-
“Latest - 1” series: Receives limited software support and maintenance (security updates, defect fixes, and minor changes only) for an additional 12 months after being superseded by the “Latest” version of the Puppet Enterprise® software.
The new model will replace the previous Long-Term Support (“LTS”) model, which offered up to twenty-four (24) months of limited software support and maintenance with limited feature delivery.
Impact on current release streams:
-
PE 2023.8.z series (LTS): This is the final series supported under the LTS support model. Maintenance releases will continue until August 2026, when the series reaches end of life (“EOL”). This timing coincides with the launch of the new software and support lifecycle model. Customers should begin planning upgrades to remain supported.
-
PE 2025.y series (Current “latest”): This series will continue receiving the latest updates until August 2026, when the next major PE version is released. At that point, 2025.y will transition to “Latest -1” and receive security updates, defect fixes, and minor changes only until its EOL in August 2027.
This change is designed to:
-
Deliver continuous access to new features
-
Improve security through more frequent updates and patches
-
Provide a predictable, simplified support timeline
Further documentation and upgrade guidance will be provided ahead of the August 2026 transition.
Puppet® Continuous Delivery and Puppet Comply® (also known as Puppet Security Compliance Management (“SCM”)) lifecycle updates:
For important information about the product lifecycle changes for Puppet® Continuous Delivery and Puppet Comply® /SCM, see:
For important information about upgrading to 2025, see Upgrading Puppet Enterprise.
If you're on the LTS stream (2023.8), you'll find release notes and other information for that series in the 2023.8 documentation.
Customers on 2021.7.z, which is EOL, are encouraged to upgrade to 2023.8.z.
To access End-of-Life (EOL) dates and maintenance information, see PE End-of-Life (EOL).
Enhancements
Infra Assistant: code assist support for writing Puppet code, tasks, and plans
In this release, Infra Assistant: code assist capabilities have been extended to support Puppet code, tasks, and plans using natural language.
For more information, about purchasing a license to access this feature, see Getting a license.
Infra Assistant: Performance and usability improvements
In PE 2025.7, Puppet Enterprise’s Infra Assistant provides users with smoother, more efficient interactions including:
-
Streaming support: Provides a more responsive and seamless user experience.
-
Infra Assistant setup improvements: The workflow for setting up the Infra Assistant has been simplified. In this release, you no longer need to select an additional checkbox for the MCP server. Once you enable the Infra Assistant service, the service is ready to use.
Advanced Patching: New PE console capabilities
From the PE console, Advanced Patching users can:
-
Edit a patch group
Advanced Patching: Usability improvements
To make managing patch jobs and tracking job runs clearer and more efficient, the PE console now includes two dedicated pages:
-
Scheduled patching: View and manage patch job schedules and configurations.
-
Patch runs: See the status, history, and outcomes for each execution instance of a patch job, whether scheduled or ad hoc.
This update replaces the previous single patch job page.
Advanced Patching operations alerts using the Observability Data Connector
Starting in PE 2025.7, you can use the Observability Data Connector to set up alerts for patching operations. These alerts provide visibility into key job-level and node-level events, such as when a patch job completes or when a node encounters an error during patching.
For full information about installing the module and instructions for setting up alerts for patching, see the Observability Data Connector module README.
Advanced Patching API: New endpoints
PE 2025.7 includes the following new endpoints.
Patch group management:
-
POST /v1/command/update-patch-group: Edit an existing patch group.
Subscription management (for patching alerts via the Observability Data Connector):
-
POST /v1/command/create-subscription: Create a new event subscription.
-
POST /v1/command/update-subscription: Update an existing subscription.
-
POST /v1/command/delete-subscription: Delete a subscription.
Platform support
Agent platforms added
This release adds support for the Puppet agent on the following operating system platforms:
-
Red Hat Enterprise Linux (RHEL) 10 ARM
Primary platforms added
-
Red Hat Enterprise Linux (RHEL) 10
Bolt plan function support
This release adds support for the following Bolt plan language function:
-
plan_context: This function returns a hash of data containing the context that the plan is running in, for Puppet Enterprise or Bolt.
For more information see, plan_context.
Resolved issues
Workflows: fixed unhandled errors when starting workflow runs
In PE 2025.6, some errors occurring when starting workflow runs were unhandled (example: running a workflow that was created by a user whose access has been revoked). This has been fixed in PE 2025.7.0.
Workflows created by revoked users can no longer be run
In PE 2025.6, workflows created by revoked users would still run the message steps. This issue has been fixed in PE 2025.7.
On the detailed workflow run page, the plan output now properly includes messages and tasks
In PE 2025.6, when rendering a plan that has message output, the plan display did not show the messages or tasks. This has been fixed in PE 2025.7.
Workflow service no longer fails to start when the system contains a replica
In PE 2025.6, if the workflow service was enabled on a system that contained a replica, the workflow service would fail to start correctly. This has been fixed in PE 2025.7.
Activity service no longer fails to purge events
In PE 2025.6, the activity service would fail to correctly purge old entries. This issue has been fixed in PE 2025.7.
Backing up PE no longer fails when a file changes while reading it
In prior versions of PE, when creating a backup the process would fail if a file changed during backup. This issue has been fixed in PE 2025.7.
Advanced Patching: Fixed issue causing classification conflicts when using dynamic membership rules
In PE 2025.6, creating a patch group using the Dynamic membership (Create rules) option could result in classification conflicts that caused patching failures. This issue has been fixed in PE 2025.7.
Infra Assistant MCP server now works with the latest version of Visual Studio Code (VSCode)
In PE 2025.6, using the latest version of VSCode to attach to the MCP server resulted in an error. This has been fixed in PE 2025.7.
Security fixes
Addressed the following CVEs:
The following CVE was fixed in PE:
- CVE-2025-12183
- CVE-2025-9230
- CVE-2025-9232
-
CVE-2025-9086
-
CVE-2025-10148
-
CVE-2025-61594
-
CVE-2025-54314
The following CVE was fixed in PE’s rubygem-REXML:
- CVE-2025-58767 (affected version: REXML 3.3.x.)
The following CVEs were fixed in the agent:
- CVE-2025-61770
- CVE-2025-61771
- CVE-2025-61772
The following CVEs were fixed in the PE Bolt server:
The following CVE was identified in 2023.x and 2025.x but does not affect PE:
-
CVE-2025-4949
