CVE-2025-49143: 
Python vulnerability analysis and mitigation

CVE-2025-49143 affects Nautobot, a Network Source of Truth and Network Automation Platform. The vulnerability was discovered in versions prior to v2.4.10 and v1.6.32, where files uploaded by users to Nautobot's MEDIA_ROOT directory were accessible without proper authentication. The issue was disclosed on June 10, 2025, and has been assigned a CVSS v4.0 score of 6.3 (Moderate) (GitHub Advisory).

The vulnerability stems from a URL endpoint that serves files from Nautobot's MEDIA_ROOT directory without enforcing user authentication. This affects various types of uploads including DeviceType image attachments and images attached to Location, Device, or Rack entities. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) with a CVSS v4.0 base score of 6.3, indicating moderate severity. The attack vector is network-based with high complexity, requiring no privileges or user interaction (GitHub Advisory).

The vulnerability allows anonymous users to retrieve uploaded files if they know or can guess the correct URL. For DeviceType image attachments, the impact is somewhat mitigated as no URL endpoint exists for listing the contents of the devicetype-images/ subdirectory. For other image attachments, while authenticated users can list files via the /api/extras/image-attachments/ endpoint, unauthenticated access would require correctly guessing file names (GitHub Advisory).

The vulnerability has been patched in Nautobot versions 2.4.10 and 1.6.32 by adding enforcement of Nautobot user authentication to the affected endpoint. No other workarounds are available other than applying the patches provided in pull requests #6672 (for 2.x) or #6703 (for 1.6) (GitHub Advisory).