Insufficient Security Configuration in Nautobot Network Automation Platform
CVE-2025-49142

6MEDIUM

Key Information:

Vendor

Nautobot

Status
Nautobot
Vendor
CVE Published:
10 June 2025

What is CVE-2025-49142?

In Nautobot, a Network Source of Truth and Network Automation Platform, users of versions prior to 2.4.10 and 1.6.32 may face security risks due to the inadequate configuration of the Jinja2 templating feature. This vulnerability allows malicious actors to manipulate the configuration of templated content, potentially exposing sensitive values such as Secrets when rendered. Furthermore, these users could execute unauthorized modifications via Python APIs, circumventing the object permissions normally in place. To mitigate this risk, it's essential to enforce appropriate object permissions that limit access to trusted users. The updated versions of Nautobot provide necessary fixes to address these issues.

Affected Version(s)

nautobot < 1.6.32 < 1.6.32

nautobot >= 2.0.0, < 2.4.10 < 2.0.0, 2.4.10

References

https://github.com/nautobot/nautobot/security/advisories/...
x_refsource_CONFIRM
https://github.com/nautobot/nautobot/pull/7417
x_refsource_MISC
https://github.com/nautobot/nautobot/pull/7429
x_refsource_MISC

CVSS V4

Score:
6
Severity:
MEDIUM
Confidentiality:
High
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.