Nautobot, a network automation platform, has a flaw in its bulk rename UI endpoints that allows an attacker to submit a malicious regular expression in the find field while the use_regex flag is set. The crafted pattern can cause the application to consume excessive resources, resulting in a denial of service for the entire platform. The weakness is a classic Regular Expression Denial of Service (CWE-1333) coupled with an input validation failure (CWE-400). The impact is a complete interruption in service for all users relying on the Nautobot instance, with no direct compromise of confidentiality or integrity reported.

The vulnerability affects Nautobot software, specifically all releases older than 2.4.33 and 3.1.2. Administrators should verify that the running instance is at least version 2.4.33 or 3.1.2 of Nautobot to mitigate the issue.

The CVSS score of 6.5 categorizes the issue as moderate severity. EPSS information is not available, so the exact likelihood of exploitation remains unknown. Nautobot is not listed in CISA’s KEV catalog. The likely attack vector involves submitting a crafted regular expression to the bulk rename endpoint; the attack may require authenticated access to the UI, but the exact privileges needed are not specified in the advisory. If the endpoint is exposed publicly, the denial of service can be triggered by any user with HTTP access. The exploit path is straightforward: the attacker sends a request with a large or repeating pattern, exhausting server resources, and causing a service interruption.