Plattform
python
Komponente
nicegui
Behoben in
3.4.1
3.4.0
CVE-2025-66645 describes a Path Traversal vulnerability discovered in NiceGUI, a Python framework for building web UIs. This vulnerability allows a remote attacker to read arbitrary files on the server's filesystem by exploiting the App.addmediafiles() method. The vulnerability affects NiceGUI versions 3.3.1 and earlier, and a fix is available in version 3.4.0.
The core of the vulnerability lies in the App.addmediafiles(urlpath, localdirectory) function, which is intended to serve media files. The lack of robust path validation allows an attacker to craft malicious urlpath inputs containing directory traversal sequences (e.g., ../..). By manipulating this input, an attacker can bypass intended access controls and read files outside of the intended localdirectory. This could expose sensitive configuration files, source code, or other confidential data stored on the server. The potential blast radius depends on the server's configuration and the permissions of the NiceGUI process. If the NiceGUI process runs with elevated privileges, the attacker's access could extend beyond the application's directory.
This vulnerability was publicly disclosed on 2025-12-09. A proof-of-concept (PoC) is likely available given the description and the researcher's verification. The vulnerability's severity is rated HIGH (CVSS 7.5), indicating a significant risk. It is not currently listed on CISA KEV as of this writing, but its ease of exploitation warrants monitoring. Active exploitation campaigns are not yet confirmed, but the public disclosure increases the likelihood of such activity.
Organizations and individuals deploying NiceGUI applications, particularly those serving media files, are at risk. Shared hosting environments where multiple users share the same server are especially vulnerable, as an attacker could potentially exploit this vulnerability to access files belonging to other users.
• python / server:
# Check for vulnerable NiceGUI versions
python -c "import nicegui; print(nicegui.__version__)"• generic web:
curl -I 'http://your-nicegui-app/path/../sensitive/file.txt' # Check for file disclosuredisclosure
Exploit-Status
EPSS
1.06% (77% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-66645 is to upgrade NiceGUI to version 3.4.0 or later, which includes the necessary path validation fixes. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out requests containing directory traversal sequences in the urlpath parameter. Additionally, restrict the permissions of the NiceGUI process to the minimum required to operate, limiting the potential damage if the vulnerability is exploited. Carefully review the localdirectory configuration to ensure it points to a secure and restricted location. No specific Sigma or YARA rules are readily available, but custom rules can be developed to detect suspicious file access patterns.
Actualice NiceGUI a la versión 3.4.0 o superior. Esto corrige la vulnerabilidad de path traversal en la función app.add_media_files(). La actualización se puede realizar utilizando el gestor de paquetes pip: `pip install --upgrade nicegui`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-66645 is a Path Traversal vulnerability in NiceGUI versions 3.3.1 and earlier, allowing attackers to read arbitrary files on the server.
You are affected if you are using NiceGUI version 3.3.1 or earlier. Upgrade to version 3.4.0 to resolve the vulnerability.
Upgrade NiceGUI to version 3.4.0 or later. As a temporary workaround, implement a WAF rule to block directory traversal attempts.
There are currently no reports of active exploitation campaigns, but a PoC is likely available.
Refer to the NiceGUI repository and release notes for the official advisory and details on the fix.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.