Platform
python
Component
nicegui
Fixed in
3.4.1
3.4.0
CVE-2025-66645 describes a Path Traversal vulnerability discovered in NiceGUI, a Python framework for building web UIs. This vulnerability allows a remote attacker to read arbitrary files on the server's filesystem by exploiting the App.addmediafiles() method. The vulnerability affects NiceGUI versions 3.3.1 and earlier, and a fix is available in version 3.4.0.
The core of the vulnerability lies in the insufficient path validation within the App.addmediafiles() function. An attacker can craft malicious url_path arguments containing directory traversal sequences (e.g., ../..) to bypass intended restrictions and access files outside the intended media directory. This could expose sensitive configuration files, source code, or even system files, depending on the server's permissions and the attacker's ability to manipulate the input. Successful exploitation could lead to information disclosure and potentially compromise the entire server if sensitive credentials or keys are exposed.
This vulnerability was discovered and reported by Seungbin Yang, a cybersecurity student. A public proof-of-concept (PoC) is likely available given the detailed description and verification by the researcher. The vulnerability is not currently listed on the CISA KEV catalog, and there are no reports of active exploitation campaigns at the time of publication (2025-12-09).
Exploit Status
EPSS
1.06% (77% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-66645 is to upgrade NiceGUI to version 3.4.0 or later, which includes the necessary path validation fixes. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious directory traversal sequences in the urlpath parameter. Additionally, restrict file system permissions for the NiceGUI application to minimize the potential impact of a successful exploit. Carefully review and restrict the localdirectory parameter to only allow access to explicitly authorized media directories.
Actualice NiceGUI a la versión 3.4.0 o superior. Esto corrige la vulnerabilidad de path traversal en la función app.add_media_files(). La actualización se puede realizar utilizando el gestor de paquetes pip: `pip install --upgrade nicegui`.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-66645 is a Path Traversal vulnerability in NiceGUI versions 3.3.1 and earlier, allowing attackers to read arbitrary files on the server.
You are affected if you are using NiceGUI version 3.3.1 or earlier. Upgrade to version 3.4.0 to resolve the vulnerability.
Upgrade NiceGUI to version 3.4.0 or later. As a temporary workaround, implement a WAF rule to block directory traversal attempts.
There are currently no reports of active exploitation campaigns, but a PoC is likely available.
Refer to the NiceGUI repository and release notes for the official advisory and details on the fix.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your requirements.txt file and we'll tell you instantly if you're affected.