User Authentication Lapse in Nautobot Network Automation Platform
CVE-2025-49143

6.3MEDIUM

Key Information:

Vendor

Nautobot

Status
Nautobot
Vendor
CVE Published:
10 June 2025

What is CVE-2025-49143?

Nautobot, a Network Source of Truth and Network Automation Platform, contains a vulnerability that allows unauthorized access to files uploaded by users to its MEDIA_ROOT directory. Specifically, prior to versions 2.4.10 and 1.6.32, images related to DeviceTypes and other entities could be accessed directly without proper user authentication. This flaw poses a significant risk, as anonymous users might exploit this issue to retrieve sensitive files simply by knowing or guessing the URL. Versions 2.4.10 and 1.6.32 have addressed this security gap by ensuring user authentication checks are enforced on the endpoint serving these files.

Affected Version(s)

nautobot < 1.6.32 < 1.6.32

nautobot >= 2.0.0, < 2.4.10 < 2.0.0, 2.4.10

References

https://github.com/nautobot/nautobot/security/advisories/...
x_refsource_CONFIRM
https://github.com/nautobot/nautobot/pull/6672
x_refsource_MISC
https://github.com/nautobot/nautobot/pull/6703
x_refsource_MISC

CVSS V4

Score:
6.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.