SB2026051166 - Multiple vulnerabilities in Nautobot

Description

This security bulletin contains information about 2 vulnerabilities.

1) Improper Neutralization of Special Elements Used in a Template Engine (CVE-ID: CVE-2025-49142)

The vulnerability allows a remote user to disclose secret values and modify data within Nautobot.

The vulnerability exists due to improper neutralization of special elements used in a template engine in the Jinja2 templating feature for computed fields, custom links, and related templated content when rendering user-configured templates. A remote user can configure crafted templated content to disclose secret values and modify data within Nautobot.

Data modification can bypass the object permissions assigned to the viewing user.

2) Information disclosure (CVE-ID: CVE-2025-49143)

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to improper access control in the media file URL endpoint when serving uploaded files from the MEDIA_ROOT directory. A remote attacker can request a known or guessed file URL to disclose sensitive information.

For successful exploitation, the attacker must know or correctly guess the target file name or URL.

Remediation

Install update from vendor's website.

References

• https://github.com/nautobot/nautobot/security/advisories/GHSA-wjw6-95h5-4jpx
• https://github.com/nautobot/nautobot/pull/7417
• https://github.com/nautobot/nautobot/security/advisories/GHSA-rh67-4c8j-hjjh
• https://github.com/nautobot/nautobot/commit/9c892dc300429948a4714f743c9c2879d8987340