CVE-2025-49142
📋 TL;DR
This vulnerability in Nautobot allows malicious users to exploit Jinja2 templating features to expose secret values or modify data without proper permissions. All users of Nautobot versions before 1.6.32 or 2.4.10 are potentially affected. The issue stems from insufficient security configuration in computed fields, custom links, and similar templated content.
💻 Affected Systems
- Nautobot
📦 What is this software?
Nautobot by Networktocode
Nautobot by Networktocode
⚠️ Risk & Real-World Impact
Worst Case
Attackers could exfiltrate all stored secrets (passwords, API keys, credentials) and perform unauthorized data modifications, potentially compromising the entire network automation platform and connected systems.
Likely Case
Privileged users with template configuration access could escalate privileges to view secrets or modify data they shouldn't have access to, leading to data breaches or unauthorized configuration changes.
If Mitigated
With proper object permissions limiting template configuration to trusted users only, the attack surface is reduced but not eliminated for those with access.
🎯 Exploit Status
Exploitation requires user access with template configuration privileges. The advisory provides technical details but no public exploit code.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.6.32 or 2.4.10
Vendor Advisory: https://github.com/nautobot/nautobot/security/advisories/GHSA-wjw6-95h5-4jpx
Restart Required: Yes
Instructions:
1. Backup your Nautobot instance and database. 2. Update to Nautobot 1.6.32 (if on 1.x) or 2.4.10 (if on 2.x). 3. Restart the Nautobot service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Restrict Template Configuration Permissions
allConfigure object permissions to limit Jinja2 template configuration (computed fields, custom links) to only trusted, necessary users.
Configure via Nautobot admin interface: Settings → Permissions → Object Permissions
🧯 If You Can't Patch
- Immediately restrict all template configuration permissions to minimal trusted users only
- Monitor audit logs for any suspicious template modifications or unexpected secret access
🔍 How to Verify
Check if Vulnerable:
Check your Nautobot version. If it's below 1.6.32 (for 1.x) or below 2.4.10 (for 2.x), you are vulnerable.Check Version:
python -c "import nautobot; print(nautobot.__version__)" or check the web interface footerVerify Fix Applied:
After updating, verify the version is 1.6.32 or higher (1.x) or 2.4.10 or higher (2.x). Test that template features still work but with proper sandboxing.📡 Detection & Monitoring
Log Indicators:
- Unusual template configuration changes
- Unexpected secret access patterns
- Unauthorized data modifications via templates
Network Indicators:
- Unusual API calls to template configuration endpoints
SIEM Query:
source="nautobot" AND (event="template_modification" OR event="secret_access")🔗 References
- https://docs.djangoproject.com/en/4.2/ref/templates/api/#alters-data-description
- https://github.com/nautobot/nautobot/pull/7417
- https://github.com/nautobot/nautobot/pull/7429
- https://github.com/nautobot/nautobot/security/advisories/GHSA-wjw6-95h5-4jpx
- https://jinja.palletsprojects.com/en/stable/sandbox
