CVE-2025-49142
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-06-10

Last updated on: 2025-08-21

Assigner: GitHub, Inc.

Description
Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions prior to 2.4.10 or prior to 1.6.32 are potentially affected. Due to insufficient security configuration of the Jinja2 templating feature used in computed fields, custom links, etc. in Nautobot, a malicious user could configure this feature set in ways that could expose the value of Secrets defined in Nautobot when the templated content is rendered or that could call Python APIs to modify data within Nautobot when the templated content is rendered, bypassing the object permissions assigned to the viewing user. Nautobot versions 1.6.32 and 2.4.10 will include fixes for the vulnerability. The vulnerability can be partially mitigated by configuring object permissions appropriately to limit certain actions to only trusted users.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-06-10
Last Modified
2025-08-21
Generated
2026-05-07
AI Q&A
2025-06-10
EPSS Evaluated
2026-05-05
NVD
CVE-2025-49142
EUVD
EUVD-2025-17714
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
networktocode nautobot to 1.6.32 (exc)
networktocode nautobot From 2.0.0 (inc) to 2.4.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1336 The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Nautobot arises from insufficient security configuration of the Jinja2 templating feature used in computed fields, custom links, and similar components. A malicious user can exploit this flaw by crafting templated content that, when rendered, can expose secret values stored in Nautobot or invoke Python APIs to modify data within Nautobot. This bypasses the object permissions assigned to the viewing user, allowing unauthorized access or modification of sensitive information. The issue affects Nautobot versions prior to 1.6.32 and 2.4.10 and is related to unsafe method calls within templates that were not properly restricted. [2, 3]


How can this vulnerability impact me? :

The vulnerability can lead to unauthorized exposure of confidential secrets stored in Nautobot, impacting confidentiality. Additionally, it allows unauthorized modification of data by bypassing object permissions, though the integrity impact is considered low. There is no impact on availability. Because the vulnerability can be exploited remotely without user interaction but requires low privileges and has high attack complexity, an attacker could potentially gain sensitive information or alter data they should not have access to, which could compromise network automation and management processes relying on Nautobot. [2]


What immediate steps should I take to mitigate this vulnerability?

Immediate steps to mitigate this vulnerability include upgrading Nautobot to versions 1.6.32 or 2.4.10, which contain patches addressing the issue. As a partial workaround before upgrading, restrict permissions related to secrets, computed fields, custom links, and job buttons (such as extras.add_secret, extras.change_secret, extras.view_secret, extras.add_computedfield, extras.change_computedfield, extras.add_customlink, extras.change_customlink, extras.add_jobbutton, extras.change_jobbutton) to trusted users only. Additionally, configuring object permissions appropriately to limit certain actions to trusted users can partially mitigate the risk. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart