GHSA-hxp3-63hc-5366

Suggest an improvement
Source
https://github.com/advisories/GHSA-hxp3-63hc-5366
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-hxp3-63hc-5366/GHSA-hxp3-63hc-5366.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-hxp3-63hc-5366
Aliases
Published
2025-12-09T14:25:15Z
Modified
2025-12-09T14:56:17.022724Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
NiceGUI has a path traversal in app.add_media_files() allows arbitrary file read
Details

Summary

A directory traversal vulnerability in NiceGUI's App.add_media_files() allows a remote attacker to read arbitrary files on the server filesystem.

Details

Hello, I am Seungbin Yang, a university student studying cybersecurity. While reviewing the source code of the repository, I discovered a potential vulnerability and successfully verified it with a PoC.

The App.add_media_files(url_path, local_directory) method allows users to serve media files. However, the implementation lacks proper path validation.

def add_media_files(self, url_path: str, local_directory: Union[str, Path]) -> None:
    @self.get(url_path.rstrip('/') + '/{filename:path}')
    def read_item(request: Request, filename: str, nicegui_chunk_size: int = 8192) -> Response:
        filepath = Path(local_directory) / filename
        if not filepath.is_file():
            raise HTTPException(status_code=404, detail='Not Found')
        return get_range_response(filepath, request, chunk_size=nicegui_chunk_size)

Root Cause: 1. The {filename:path} parameter accepts full paths, including traversal sequences like ../. 2. The code simply joins localdirectory and filename without checking if the result is still inside the localdirectory. 3. There is no path sanitization or boundary check.

Consequence: An attacker can use .. to access files outside the intended directory. If the application has permission, sensitive files (e.g., /etc/hosts, source code, config files) can be exposed.

POC

  1. Create poc.py:

    # poc.py
from pathlib import Path
from nicegui import app, ui

MEDIA_DIR = Path(__file__).parent / 'media'
MEDIA_DIR.mkdir(exist_ok=True)

# Expose local "media" directory at /media
app.add_media_files('/media', MEDIA_DIR)

@ui.page('/')
def index():
    ui.label('NiceGUI media PoC')

ui.run(port=8080, reload=False)

  2. Run the application: python3 poc.py

  3. Exploit with curl: Use URL-encoded dots (%2e) to bypass client-side checks. curl -v "http://localhost:8080/media/%2e%2e/%2e%2e/%2e%2e/etc/hosts"

Result:

The HTTP status is 200 OK, and the response body contains the contents of the server’s /etc/hosts file.

I have attached a screenshot of the successful exploitation below. As shown in the image, the content of /etc/hosts displayed via cat matches the output received from the curl request perfectly.

<img width="1728" height="1078" alt="POC screenshot" src="https://github.com/user-attachments/assets/6c1be75b-6be2-4372-90df-55042c1e4775" />

Impact

Any NiceGUI application that calls app.addmediafiles() on a URL path reachable by an attacker is affected. An unauthenticated remote attacker can read sensitive files outside the intended media directory, potentially exposing:

•Application source code and configuration files •Credentials, API keys, and secrets •Operating system configuration files (e.g., /etc/passwd, /etc/hosts)

This is my first github vulnerability report, so I would appreciate your understanding regarding any potential shortcomings. If you require any further information or clarification, please feel free to contact me at y4rvin@naver.com.

Thank you.

Database specific 
{
    "severity": "HIGH",
    "cwe_ids": [
        "CWE-22"
    ],
    "nvd_published_at": null,
    "github_reviewed_at": "2025-12-09T14:25:15Z",
    "github_reviewed": true
}
References

Affected packages

PyPI / nicegui

Package

Name
nicegui
View open source insights on deps.dev
Purl
pkg:pypi/nicegui

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.4.0

Affected versions

0.*

0.1.0
0.1.4
0.1.6
0.2.0
0.2.1
0.2.2
0.2.3
0.2.4
0.2.9
0.2.10
0.2.11
0.2.12
0.2.13
0.2.14
0.2.15
0.3.0
0.3.1
0.3.2
0.3.3
0.3.4
0.3.5
0.3.6
0.3.7
0.3.8
0.3.9
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
0.4.7
0.4.8
0.4.9
0.4.10
0.4.11
0.4.12
0.4.13
0.4.14
0.4.15
0.5.0
0.5.1
0.5.2
0.5.3
0.5.4
0.5.5
0.5.6
0.5.7
0.5.8
0.5.9
0.5.10
0.5.11
0.5.12
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.6.10
0.6.11
0.6.12
0.6.13
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.6
0.7.7
0.7.8
0.7.9
0.7.10
0.7.11
0.7.12
0.7.13
0.7.14
0.7.15
0.7.16
0.7.17
0.7.18
0.7.19
0.7.21
0.7.22
0.7.23
0.7.24
0.7.25
0.7.26
0.7.27
0.7.28
0.7.29
0.7.30
0.8.0
0.8.1
0.8.2
0.8.3
0.8.4
0.8.5
0.8.6
0.8.7
0.8.8
0.8.9
0.8.10
0.8.11
0.8.12
0.8.13
0.8.14
0.8.15
0.8.16
0.9.0
0.9.1
0.9.2
0.9.3
0.9.4
0.9.5
0.9.6
0.9.7
0.9.8
0.9.9
0.9.10
0.9.11
0.9.12
0.9.13
0.9.14
0.9.15
0.9.16
0.9.17
0.9.18
0.9.19
0.9.20
0.9.21
0.9.22
0.9.23
0.9.24
0.9.25
0.9.26
0.9.27
0.9.28

1.*

1.0.1
1.0.2
1.0.3
1.0.4
1.0.5
1.0.6
1.0.7
1.0.8
1.0.9
1.0.10
1.1.0
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.1.7
1.1.8
1.1.9
1.1.10
1.1.11
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.2.9
1.2.10
1.2.11
1.2.12
1.2.13
1.2.14
1.2.15
1.2.16
1.2.17
1.2.18
1.2.20
1.2.21
1.2.22
1.2.23
1.2.24
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
1.3.10
1.3.11
1.3.12
1.3.13
1.3.14
1.3.15
1.3.16
1.3.17
1.3.18
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.4.8
1.4.9
1.4.10
1.4.11
1.4.12
1.4.13
1.4.14
1.4.15
1.4.16
1.4.17
1.4.18
1.4.19
1.4.20
1.4.21
1.4.22
1.4.23
1.4.24
1.4.25
1.4.26
1.4.27
1.4.28
1.4.29
1.4.30
1.4.31
1.4.33
1.4.34
1.4.35
1.4.36
1.4.37

2.*

2.0.0
2.0.1
2.1.0
2.2.0
2.3.0
2.4.0
2.5.0
2.7.0
2.8.0
2.8.1
2.9.0
2.9.1
2.10.0
2.10.1
2.11.0
2.11.1
2.12.0
2.12.1
2.13.0
2.14.0
2.14.1
2.15.0
2.16.0
2.16.1
2.17.0
2.18.0
2.19.0
2.20.0
2.21.0
2.21.1
2.22.0
2.22.1
2.22.2
2.23.0
2.23.1
2.23.2
2.23.3
2.24.0
2.24.1
2.24.2

3.*

3.0.0rc1
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.1.0
3.2.0
3.3.0
3.3.1