Skip to main content

Nautobot CVE-2025-49143

| EUVDEUVD-2025-17712 MEDIUM
Information Exposure (CWE-200)
2025-06-10 security-advisories@github.com GHSA-rh67-4c8j-hjjh
5.9
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.9 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
EUVD ID Assigned
Mar 14, 2026 - 19:49 euvd
EUVD-2025-17712
Analysis Generated
Mar 14, 2026 - 19:49 vuln.today
Patch released
Mar 14, 2026 - 19:49 nvd
Patch available
CVE Published
Jun 10, 2025 - 16:15 nvd
MEDIUM 5.9

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on nautobot (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 2.0.0.

DescriptionGitHub Advisory

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to v2.4.10 and v1.6.32 , files uploaded by users to Nautobot's MEDIA_ROOT directory, including DeviceType image attachments as well as images attached to a Location, Device, or Rack, are served to users via a URL endpoint that was not enforcing user authentication. As a consequence, such files can be retrieved by anonymous users who know or can guess the correct URL for a given file. Nautobot v2.4.10 and v1.6.32 address this issue by adding enforcement of Nautobot user authentication to this endpoint.

Analysis

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to v2.4.10 and v1.6.32 , files uploaded by users to Nautobot's MEDIA_ROOT directory, including DeviceType image attachments as well as images attached to a Location, Device, or Rack, are served to users via a URL endpoint that was not enforcing user authentication. As a consequence, such files can be retrieved by anonymous users who know or can guess the correct URL for a given file. Nautobot v2.4.10 and v1.6.32 address this issue by adding enforcement of Nautobot user authentication to this endpoint.

Technical ContextAI

Information disclosure occurs when an application inadvertently reveals sensitive data to unauthorized actors through error messages, logs, or improper access controls. This vulnerability is classified as Information Exposure (CWE-200).

RemediationAI

A vendor patch is available — apply it immediately. Implement proper access controls. Sanitize error messages in production. Review logging practices to avoid capturing sensitive data.

CVE-2023-46128 MEDIUM POC
6.5 Oct 25

Nautobot is a Network Automation Platform built as a web application atop the Django Python framework with a PostgreSQL

CVE-2023-25657 CRITICAL
9.8 Feb 21

Nautobot is a Network Source of Truth and Network Automation Platform. Rated critical severity (CVSS 9.8), this vulnerab

CVE-2024-34707 MEDIUM POC
4.8 May 14

Nautobot is a Network Source of Truth and Network Automation Platform. Rated medium severity (CVSS 4.8), this vulnerabil

CVE-2025-49142 HIGH
7.1 Jun 10

A remote code execution vulnerability in Nautobot (CVSS 7.1). High severity vulnerability requiring prompt remediation.

CVE-2024-36112 MEDIUM
6.5 May 28

Nautobot is a Network Source of Truth and Network Automation Platform. Rated medium severity (CVSS 6.5), this vulnerabil

CVE-2024-32979 MEDIUM
6.1 May 01

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python

CVE-2024-23345 MEDIUM
5.4 Jan 23

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application. Rated medium severity

CVE-2023-48705 MEDIUM
5.4 Nov 22

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application All users of Nautobot v

CVE-2024-29199 MEDIUM
5.3 Mar 26

Nautobot is a Network Source of Truth and Network Automation Platform. Rated medium severity (CVSS 5.3), this vulnerabil

CVE-2023-50263 MEDIUM
5.3 Dec 12

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python

CVE-2023-51649 MEDIUM
4.3 Dec 22

Nautobot is a Network Source of Truth and Network Automation Platform built as a web application atop the Django Python

Share

CVE-2025-49143 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy