{"id":"CVE-2025-49143","summary":"Nautobot may allows uploaded media files to be accessible without authentication","details":"Nautobot is a Network Source of Truth and Network Automation Platform. Prior to v2.4.10 and v1.6.32 , files uploaded by users to Nautobot's MEDIA_ROOT directory, including DeviceType image attachments as well as images attached to a Location, Device, or Rack, are served to users via a URL endpoint that was not enforcing user authentication. As a consequence, such files can be retrieved by anonymous users who know or can guess the correct URL for a given file. Nautobot v2.4.10 and v1.6.32 address this issue by adding enforcement of Nautobot user authentication to this endpoint.","aliases":["GHSA-rh67-4c8j-hjjh"],"modified":"2026-04-10T05:28:55.736593Z","published":"2025-06-10T15:43:59.225Z","database_specific":{"cwe_ids":["CWE-200"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49143.json","cna_assigner":"GitHub_M"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/49xxx/CVE-2025-49143.json"},{"type":"ADVISORY","url":"https://github.com/nautobot/nautobot/security/advisories/GHSA-rh67-4c8j-hjjh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-49143"},{"type":"FIX","url":"https://github.com/nautobot/nautobot/commit/9c892dc300429948a4714f743c9c2879d8987340"},{"type":"FIX","url":"https://github.com/nautobot/nautobot/commit/d99a53b065129cff3a0fa9abe7355a9ef1ad4c95"},{"type":"FIX","url":"https://github.com/nautobot/nautobot/pull/6672"},{"type":"FIX","url":"https://github.com/nautobot/nautobot/pull/6703"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/nautobot/nautobot","events":[{"introduced":"0"},{"fixed":"594cf835bd1e1792435fbfd14a62cc03069028eb"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.6.32"}]}},{"type":"GIT","repo":"https://github.com/nautobot/nautobot","events":[{"introduced":"3013f25b41a1409adb815afb654fad4988f640ef"},{"fixed":"62274096cc7239a77fd7ad1b1c62527e9adb33ef"}],"database_specific":{"versions":[{"introduced":"2.0.0"},{"fixed":"2.4.10"}]}}],"versions":["v1.0.0","v1.0.0a1","v1.0.0a2","v1.0.0b1","v1.0.0b2","v1.0.0b3","v1.0.0b4","v1.0.1","v1.0.2","v1.0.3","v1.1.0","v1.1.0b1","v1.1.0b2","v1.1.1","v1.1.2","v1.1.3","v1.1.4","v1.2","v1.2.0","v1.2.0b1","v1.2.1","v1.2.10","v1.2.11","v1.2.2","v1.2.3","v1.2.4","v1.2.5","v1.2.6","v1.2.7","v1.2.8","v1.2.9","v1.3","v1.3.0","v1.3.1","v1.3.10","v1.3.2","v1.3.3","v1.3.4","v1.3.5","v1.3.6","v1.3.7","v1.3.8","v1.3.9","v1.4.0","v1.4.1","v1.4.2","v1.6.10","v1.6.11","v1.6.12","v1.6.13","v1.6.14","v1.6.15","v1.6.16","v1.6.17","v1.6.18","v1.6.19","v1.6.20","v1.6.21","v1.6.22","v1.6.23","v1.6.24","v1.6.25","v1.6.26","v1.6.27","v1.6.28","v1.6.29","v1.6.3","v1.6.30","v1.6.31","v1.6.4","v1.6.5","v1.6.6","v1.6.7","v1.6.8","v1.6.9","v2.0.0","v2.0.1","v2.0.2","v2.0.3","v2.0.4","v2.0.5","v2.0.6","v2.1.0","v2.1.1","v2.1.2","v2.1.3","v2.1.4","v2.1.5","v2.1.6","v2.1.7","v2.1.8","v2.1.9","v2.2.0","v2.2.1","v2.2.2","v2.2.3","v2.2.4","v2.2.5","v2.2.6","v2.2.7","v2.2.8","v2.2.9","v2.3.0","v2.3.1","v2.3.10","v2.3.11","v2.3.12","v2.3.13","v2.3.14","v2.3.15","v2.3.16","v2.3.2","v2.3.3","v2.3.4","v2.3.5","v2.3.6","v2.3.8","v2.3.9","v2.4.0","v2.4.1","v2.4.2","v2.4.3","v2.4.4","v2.4.5","v2.4.6","v2.4.7","v2.4.8","v2.4.9"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-49143.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N"}]}