VulnerableCode Package Details - pkg:pypi/nautobot@2.2.2

Search for packages

Vulnerability	Summary	Fixed by
VCID-vr34-ms8k-zybv Aliases: CVE-2025-49142 GHSA-wjw6-95h5-4jpx PYSEC-2025-74 PYSEC-2025-79	Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions prior to 2.4.10 or prior to 1.6.32 are potentially affected. Due to insufficient security configuration of the Jinja2 templating feature used in computed fields, custom links, etc. in Nautobot, a malicious user could configure this feature set in ways that could expose the value of Secrets defined in Nautobot when the templated content is rendered or that could call Python APIs to modify data within Nautobot when the templated content is rendered, bypassing the object permissions assigned to the viewing user. Nautobot versions 1.6.32 and 2.4.10 will include fixes for the vulnerability. The vulnerability can be partially mitigated by configuring object permissions appropriately to limit certain actions to only trusted users.	2.4.10 Affected by 0 other vulnerabilities.
VCID-z4ux-pgu6-6kc9 Aliases: CVE-2024-36112 GHSA-qmjf-wc2h-6x3q PYSEC-2024-166	Nautobot is a Network Source of Truth and Network Automation Platform. A user with permissions to view Dynamic Group records (`extras.view_dynamicgroup` permission) can use the Dynamic Group detail UI view (`/extras/dynamic-groups/<uuid>/`) and/or the members REST API view (`/api/extras/dynamic-groups/<uuid>/members/`) to list the objects that are members of a given Dynamic Group. In versions of Nautobot between 1.3.0 (where the Dynamic Groups feature was added) and 1.6.22 inclusive, and 2.0.0 through 2.2.4 inclusive, Nautobot fails to restrict these listings based on the member object permissions - for example a Dynamic Group of Device objects will list all Devices that it contains, regardless of the user's `dcim.view_device` permissions or lack thereof. This issue has been fixed in Nautobot versions 1.6.23 and 2.2.5. Users are advised to upgrade. This vulnerability can be partially mitigated by removing `extras.view_dynamicgroup` permission from users however a full fix will require upgrading.	2.2.5 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} 2.3.0b1 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-vr34-ms8k-zybv
Aliases:
CVE-2025-49142
GHSA-wjw6-95h5-4jpx
PYSEC-2025-74
PYSEC-2025-79

Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions prior to 2.4.10 or prior to 1.6.32 are potentially affected. Due to insufficient security configuration of the Jinja2 templating feature used in computed fields, custom links, etc. in Nautobot, a malicious user could configure this feature set in ways that could expose the value of Secrets defined in Nautobot when the templated content is rendered or that could call Python APIs to modify data within Nautobot when the templated content is rendered, bypassing the object permissions assigned to the viewing user. Nautobot versions 1.6.32 and 2.4.10 will include fixes for the vulnerability. The vulnerability can be partially mitigated by configuring object permissions appropriately to limit certain actions to only trusted users.

2.4.10
Affected by 0 other vulnerabilities.

VCID-z4ux-pgu6-6kc9
Aliases:
CVE-2024-36112
GHSA-qmjf-wc2h-6x3q
PYSEC-2024-166

Nautobot is a Network Source of Truth and Network Automation Platform. A user with permissions to view Dynamic Group records (`extras.view_dynamicgroup` permission) can use the Dynamic Group detail UI view (`/extras/dynamic-groups/<uuid>/`) and/or the members REST API view (`/api/extras/dynamic-groups/<uuid>/members/`) to list the objects that are members of a given Dynamic Group. In versions of Nautobot between 1.3.0 (where the Dynamic Groups feature was added) and 1.6.22 inclusive, and 2.0.0 through 2.2.4 inclusive, Nautobot fails to restrict these listings based on the member object permissions - for example a Dynamic Group of Device objects will list all Devices that it contains, regardless of the user's `dcim.view_device` permissions or lack thereof. This issue has been fixed in Nautobot versions 1.6.23 and 2.2.5. Users are advised to upgrade. This vulnerability can be partially mitigated by removing `extras.view_dynamicgroup` permission from users however a full fix will require upgrading.

2.2.5
Affected by 2 other vulnerabilities.

2.3.0b1
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-02T04:23:08.045360+00:00	Pypa Importer	Affected by	VCID-vr34-ms8k-zybv	https://github.com/pypa/advisory-database/blob/main/vulns/nautobot/PYSEC-2025-79.yaml	38.6.0
2026-06-02T04:21:18.813652+00:00	Pypa Importer	Affected by	VCID-z4ux-pgu6-6kc9	https://github.com/pypa/advisory-database/blob/main/vulns/nautobot/PYSEC-2024-166.yaml	38.6.0

2026-06-02T04:23:08.045360+00:00

Pypa Importer

Affected by

VCID-vr34-ms8k-zybv

https://github.com/pypa/advisory-database/blob/main/vulns/nautobot/PYSEC-2025-79.yaml

38.6.0

2026-06-02T04:21:18.813652+00:00

Pypa Importer

Affected by

VCID-z4ux-pgu6-6kc9

https://github.com/pypa/advisory-database/blob/main/vulns/nautobot/PYSEC-2024-166.yaml

38.6.0

Next non-vulnerable version	2.4.10
Latest non-vulnerable version	2.4.10
Risk