Insertion of Sensitive Information into Externally-Accessible File or Directory Affecting nautobot-ssot package, versions [,3.10.0)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-PYTHON-NAUTOBOTSSOT-13654023
- published23 Oct 2025
- disclosed21 Oct 2025
- creditGary Snider
Introduced: 21 Oct 2025
NewCVE-2025-62607 (opens in a new tab)Common Vulnerabilities and Exposures (CVE) are common identifiers for publicly known security vulnerabilities
Common Weakness Enumeration (CWE) is a category system for software weaknesses
How to fix?
Upgrade nautobot-ssot to version 3.10.0 or higher.
Overview
nautobot-ssot is a Nautobot Single Source of Truth
Affected versions of this package are vulnerable to Insertion of Sensitive Information into Externally-Accessible File or Directory by placing the Service Now public instance name e.g. companyname.service-now.com in a generic django view with no authentication.
Note:
- This does not expose the Secret, the Secret Name, or the Secret Value for the Username/Password for Service-Now.com.
- An unauthenticated member would not be able to change the instance name, nor set a Secret.
- There is not a way to gain access to other pages Nautobot through the unauthenticated Configuration page.
Workaround
This vulnerability can be mitigated by disabling the servicenow SSoT integration.