CVE-2025-49143
MEDIUMNetworktocode Nautobot < 1.6.32 - Information Disclosure
Title source: ruleDescription
Nautobot is a Network Source of Truth and Network Automation Platform. Prior to v2.4.10 and v1.6.32 , files uploaded by users to Nautobot's MEDIA_ROOT directory, including DeviceType image attachments as well as images attached to a Location, Device, or Rack, are served to users via a URL endpoint that was not enforcing user authentication. As a consequence, such files can be retrieved by anonymous users who know or can guess the correct URL for a given file. Nautobot v2.4.10 and v1.6.32 address this issue by adding enforcement of Nautobot user authentication to this endpoint.
References (5)
Core 5
Core References
Vendor Advisory x_refsource_confirm
https://github.com/nautobot/nautobot/security/advisories/GHSA-rh67-4c8j-hjjh
Patch x_refsource_misc
https://github.com/nautobot/nautobot/pull/6672
Patch x_refsource_misc
https://github.com/nautobot/nautobot/pull/6703
Patch x_refsource_misc
https://github.com/nautobot/nautobot/commit/9c892dc300429948a4714f743c9c2879d8987340
Scores
CVSS v3
5.9
EPSS
0.0022
EPSS Percentile
45.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-200
Status
published
Products (2)
networktocode/nautobot
< 1.6.32
pypi/nautobot
0 - 1.6.32PyPI
Published
Jun 10, 2025
Tracked Since
Feb 18, 2026