CVE-2025-49142: 
Python vulnerability analysis and mitigation

CVE-2025-49142 affects Nautobot, a Network Source of Truth and Network Automation Platform, in versions prior to 2.4.10 and 1.6.32. The vulnerability stems from insufficient security configuration of the Jinja2 templating feature used in computed fields, custom links, and other components (NVD, GitHub Advisory).

The vulnerability is classified as CWE-1336 (Improper Neutralization of Special Elements Used in a Template Engine) with a CVSS v4.0 score of 6.0 (Medium). The issue arises from inadequate security controls in the Jinja2 templating functionality, which could allow template content to be rendered in ways that bypass intended security restrictions (GitHub Advisory).

The vulnerability has two main impacts: 1) A malicious user could configure the templating feature to expose the value of Secrets defined in Nautobot when the templated content is rendered, and 2) An attacker could configure the feature to call Python APIs to modify data within Nautobot when the templated content is rendered, effectively bypassing the object permissions assigned to the viewing user (GitHub Advisory).

The vulnerability has been patched in Nautobot versions 1.6.32 and 2.4.10. As a workaround, organizations can partially mitigate the vulnerability by configuring object permissions appropriately to limit certain actions to only trusted users, including permissions for extras.addsecret, extras.changesecret, extras.viewsecret, extras.addcomputedfield, extras.changecomputedfield, extras.addcustomlink, extras.changecustomlink, extras.addjobbutton, and extras.change_jobbutton (GitHub Advisory).