CVE-2025-49143

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-49143

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49143.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-49143

Aliases

GHSA-rh67-4c8j-hjjh

Published

2025-06-10T15:43:59.225Z

Modified

2026-04-10T05:28:55.736593Z

Severity

6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N CVSS Calculator

Summary

Nautobot may allows uploaded media files to be accessible without authentication

Details

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to v2.4.10 and v1.6.32 , files uploaded by users to Nautobot's MEDIA_ROOT directory, including DeviceType image attachments as well as images attached to a Location, Device, or Rack, are served to users via a URL endpoint that was not enforcing user authentication. As a consequence, such files can be retrieved by anonymous users who know or can guess the correct URL for a given file. Nautobot v2.4.10 and v1.6.32 address this issue by adding enforcement of Nautobot user authentication to this endpoint.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49143.json",
    "cwe_ids": [
        "CWE-200"
    ],
    "cna_assigner": "GitHub_M"
}

References

Affected packages

Git / github.com/nautobot/nautobot

Affected ranges

Type

GIT

Repo

https://github.com/nautobot/nautobot

Events

Introduced

Fixed

594cf835bd1e1792435fbfd14a62cc03069028eb

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.6.32"
        }
    ]
}

Type

GIT

Repo

https://github.com/nautobot/nautobot

Events

Introduced

3013f25b41a1409adb815afb654fad4988f640ef

Fixed

62274096cc7239a77fd7ad1b1c62527e9adb33ef

Database specific

{
    "versions": [
        {
            "introduced": "2.0.0"
        },
        {
            "fixed": "2.4.10"
        }
    ]
}

Affected versions

v1.*

v1.0.0

v1.0.0a1

v1.0.0a2

v1.0.0b1

v1.0.0b2

v1.0.0b3

v1.0.0b4

v1.0.1

v1.0.2

v1.0.3

v1.1.0

v1.1.0b1

v1.1.0b2

v1.1.1

v1.1.2

v1.1.3

v1.1.4

v1.2

v1.2.0

v1.2.0b1

v1.2.1

v1.2.10

v1.2.11

v1.2.2

v1.2.3

v1.2.4

v1.2.5

v1.2.6

v1.2.7

v1.2.8

v1.2.9

v1.3

v1.3.0

v1.3.1

v1.3.10

v1.3.2

v1.3.3

v1.3.4

v1.3.5

v1.3.6

v1.3.7

v1.3.8

v1.3.9

v1.4.0

v1.4.1

v1.4.2

v1.6.10

v1.6.11

v1.6.12

v1.6.13

v1.6.14

v1.6.15

v1.6.16

v1.6.17

v1.6.18

v1.6.19

v1.6.20

v1.6.21

v1.6.22

v1.6.23

v1.6.24

v1.6.25

v1.6.26

v1.6.27

v1.6.28

v1.6.29

v1.6.3

v1.6.30

v1.6.31

v1.6.4

v1.6.5

v1.6.6

v1.6.7

v1.6.8

v1.6.9

v2.*

v2.0.0

v2.0.1

v2.0.2

v2.0.3

v2.0.4

v2.0.5

v2.0.6

v2.1.0

v2.1.1

v2.1.2

v2.1.3

v2.1.4

v2.1.5

v2.1.6

v2.1.7

v2.1.8

v2.1.9

v2.2.0

v2.2.1

v2.2.2

v2.2.3

v2.2.4

v2.2.5

v2.2.6

v2.2.7

v2.2.8

v2.2.9

v2.3.0

v2.3.1

v2.3.10

v2.3.11

v2.3.12

v2.3.13

v2.3.14

v2.3.15

v2.3.16

v2.3.2

v2.3.3

v2.3.4

v2.3.5

v2.3.6

v2.3.8

v2.3.9

v2.4.0

v2.4.1

v2.4.2

v2.4.3

v2.4.4

v2.4.5

v2.4.6

v2.4.7

v2.4.8

v2.4.9

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49143.json"