GHSA-PQ7C-X8G4-RVP6

Vulnerability from github – Published: 2026-05-18 20:22 – Updated: 2026-06-09 10:58
VLAI
Summary
NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routes
Details

Summary

Two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette's FileResponse, which Uvicorn writes to the server log as a full traceback. Because the routes are reachable without authentication, a remote attacker can amplify log volume and consume disk and log-pipeline capacity on any publicly reachable NiceGUI server. There is no impact to confidentiality or integrity.

Details

The affected routes are the per-component resource route (added in v1.4.6) and the ESM module route (added in v3.0.0). Both join a user-supplied path segment with a registered base directory and pass the result to FileResponse. The existing existence check uses pathlib.Path.exists(), which returns True for directories — so a request whose sub-path resolves to a directory passes the guard and triggers an unhandled exception inside Starlette.

FastAPI has no default handler for RuntimeError, so each such request results in a 500 response and a multi-frame traceback in the server log.

Other NiceGUI-served paths (/static/..., /components/..., /libraries/...) are not affected; they do not use the same sub-path-to-FileResponse pattern.

Impact

A remote, unauthenticated attacker can repeatedly trigger the error condition with crafted requests. Each request emits roughly 100 lines of traceback in a default setup, and more when additional middleware layers are present. At sustained request rates this can:

  • exhaust disk space on hosts with default log retention,
  • saturate downstream log-shipping pipelines,
  • generate alert fatigue or mask other events in monitoring.

There is no remote code execution, no path traversal, and no data exposure beyond the absolute installation path that already appears in any uncaught exception trace.

Workarounds

For deployments that cannot upgrade immediately:

  • Place NiceGUI behind a reverse proxy that rejects requests where the path after /_nicegui/<version>/esm/<key>/ or /_nicegui/<version>/resources/<key>/ is empty.
  • Rate-limit the /_nicegui/ prefix at the proxy.
  • Configure log rotation aggressively for the affected service.
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.11.1"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "nicegui"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.12.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-45554"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-248",
      "CWE-770"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-18T20:22:07Z",
    "nvd_published_at": "2026-06-02T16:16:41Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nTwo FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled `RuntimeError` inside Starlette\u0027s `FileResponse`, which Uvicorn writes to the server log as a full traceback. Because the routes are reachable without authentication, a remote attacker can amplify log volume and consume disk and log-pipeline capacity on any publicly reachable NiceGUI server. There is no impact to confidentiality or integrity.\n\n### Details\n\nThe affected routes are the per-component **resource** route (added in v1.4.6) and the **ESM module** route (added in v3.0.0). Both join a user-supplied path segment with a registered base directory and pass the result to `FileResponse`. The existing existence check uses `pathlib.Path.exists()`, which returns `True` for directories \u2014 so a request whose sub-path resolves to a directory passes the guard and triggers an unhandled exception inside Starlette.\n\nFastAPI has no default handler for `RuntimeError`, so each such request results in a 500 response and a multi-frame traceback in the server log.\n\nOther NiceGUI-served paths (`/static/...`, `/components/...`, `/libraries/...`) are not affected; they do not use the same sub-path-to-`FileResponse` pattern.\n\n### Impact\n\nA remote, unauthenticated attacker can repeatedly trigger the error condition with crafted requests. Each request emits roughly 100 lines of traceback in a default setup, and more when additional middleware layers are present. At sustained request rates this can:\n\n- exhaust disk space on hosts with default log retention,\n- saturate downstream log-shipping pipelines,\n- generate alert fatigue or mask other events in monitoring.\n\nThere is no remote code execution, no path traversal, and no data exposure beyond the absolute installation path that already appears in any uncaught exception trace.\n\n### Workarounds\n\nFor deployments that cannot upgrade immediately:\n\n- Place NiceGUI behind a reverse proxy that rejects requests where the path after `/_nicegui/\u003cversion\u003e/esm/\u003ckey\u003e/` or `/_nicegui/\u003cversion\u003e/resources/\u003ckey\u003e/` is empty.\n- Rate-limit the `/_nicegui/` prefix at the proxy.\n- Configure log rotation aggressively for the affected service.",
  "id": "GHSA-pq7c-x8g4-rvp6",
  "modified": "2026-06-09T10:58:12Z",
  "published": "2026-05-18T20:22:07Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-pq7c-x8g4-rvp6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-45554"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/zauberzeug/nicegui"
    },
    {
      "type": "WEB",
      "url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.12.0"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routes"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…