CVE-2025-62607: 
Python vulnerability analysis and mitigation

CVE-2025-62607 affects Nautobot Single Source of Truth (SSoT) application prior to version 3.10.0. The vulnerability allows an unauthenticated attacker to access the ServiceNow configuration page to view the Service Now public instance name (e.g., companyname.service-now.com). The issue was discovered and disclosed on October 21, 2025, and has been assigned a CVSS v3.1 base score of 5.3 (Medium) (GitHub Advisory, NVD).

The vulnerability exists because the ServiceNow configuration URL (/plugins/ssot/servicenow/config/) uses a generic Django View with no authentication requirements. The issue is classified as CWE-306 (Missing Authentication for Critical Function). The vulnerability has been assigned a CVSS v3.1 vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating it can be exploited remotely with low attack complexity and requires no privileges or user interaction (GitHub Advisory).

The impact of this vulnerability is considered low. While an unauthenticated attacker can access the ServiceNow configuration page to view the public instance name, this is considered low-value information. The vulnerability does not expose sensitive information such as Secret, Secret Name, or Username/Password credentials for Service-Now.com. Additionally, attackers cannot modify the instance name, set secrets, or gain access to other Nautobot pages through this vulnerability (GitHub Advisory).

The vulnerability has been patched in Nautobot SSoT version 3.10.0 by enforcing permissions on the ServiceNow Config view. Users are strongly recommended to upgrade to this version. As a workaround, if immediate upgrading is not possible, administrators can disable the ServiceNow SSoT integration entirely (GitHub Release, GitHub Advisory).