6.3

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-49143

GHSA ID

GHSA-rh67-4c8j-hjjh

EPSS Score

0.39565%

CWE

CWE-200

Published

6/10/2025

Updated

6/10/2025

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-49143

CVE-2025-49143: Nautobot may allows uploaded media files to be accessible without authentication

Impact

Files uploaded by users to Nautobot's MEDIA_ROOT directory, including DeviceType image attachments as well as images attached to a Location, Device, or Rack, are served to users via a URL endpoint that was not enforcing user authentication. As a consequence, such files can be retrieved by anonymous users who know or can guess the correct URL for a given file.

For DeviceType image attachments, a mitigating factor is that no URL endpoint exists for listing the contents of the devicetype-images/ subdirectory, and the file names are as specified by the uploading user, so any given DeviceType image attachment can only be retrieved by correctly guessing its file name.

Similarly, for all other image attachments, while the images can be listed by accessing the /api/extras/image-attachments/ endpoint as an authenticated user only, absent that authenticated access, accessing the files would again require guessing file names correctly.

Patches

Nautobot v2.4.10 and v1.6.32 will address this issue by adding enforcement of Nautobot user authentication to this endpoint.

Workarounds

No workaround other than applying the patch given in https://github.com/nautobot/nautobot/pull/6672 (2.x) or https://github.com/nautobot/nautobot/pull/6703 (1.6)

References

Are there any links users can visit to find out more?

https://github.com/nautobot/nautobot/commit/9c892dc300429948a4714f743c9c2879d8987340
https://github.com/nautobot/nautobot/commit/d99a53b065129cff3a0fa9abe7355a9ef1ad4c95

(GitHub Advisory)

6.3

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-49143

GHSA ID

GHSA-rh67-4c8j-hjjh

EPSS Score

0.39565%

CWE

CWE-200

Published

6/10/2025

Updated

6/10/2025

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nautobot	pip	< 1.6.32	1.6.32
nautobot	pip	>= 2.0.0, < 2.4.10	2.4.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability allowed unauthenticated access to media files because the Django built-in serve function (django.views.static.serve) was directly exposed in the URL configuration (nautobot/core/urls.py) for the /media/ path. This function, by default, does not enforce application-level authentication. The patches (9c892dc300429948a4714f743c9c2879d8987340 for Nautobot 2.x and d99a53b065129cff3a0fa9abe7355a9ef1ad4c95 for Nautobot 1.6) address this by replacing the direct use of serve with a custom MediaView class. This new view, defined in nautobot/core/views/__init__.py, explicitly checks if a user is authenticated (request.user.is_authenticated) before serving most media files (with an exception for public branding files). Therefore, the django.views.static.serve function, as it was configured in nautobot/core/urls.py before the patch, is the vulnerable component that would be hit during exploitation when an unauthenticated user requests a protected media file. A runtime profiler would show django.views.static.serve being executed for these unauthenticated requests to the media endpoint prior to the patch being applied.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t *il*s uplo**** *y us*rs to N*uto*ot's `M**I*_ROOT` *ir**tory, in*lu*in* **vi**Typ* im*** *tt***m*nts *s w*ll *s im***s *tt***** to * Lo**tion, **vi**, or R**k, *r* s*rv** to us*rs vi* * URL *n*point t**t w*s not *n*or*in* us*r *ut**nti**t

Reasoning

T** vuln*r**ility *llow** un*ut**nti**t** ****ss to m**i* *il*s ****us* t** *j*n*o *uilt-in `s*rv*` *un*tion (`*j*n*o.vi*ws.st*ti*.s*rv*`) w*s *ir**tly *xpos** in t** URL *on*i*ur*tion (`n*uto*ot/*or*/urls.py`) *or t** `/m**i*/` p*t*. T*is *un*tion,

6.3

Basic Information

Concerned about an active attack path?

CVE-2025-49143: Nautobot may allows uploaded media files to be accessible without authentication

Impact

Patches

Workarounds

References

6.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI