CVE-2025-66645
published 2025-12-09CVE-2025-66645: NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to directory traversal through the App.add_media_files() function, which allows…
PriorityP349high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EPSS
0.96%
57.2th percentile
NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to directory traversal through the App.add_media_files() function, which allows a remote attacker to read arbitrary files on the server filesystem. This issue is fixed in version 3.4.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| zauberzeug | nicegui | < 3.4.0 | 3.4.0 |
| zauberzeug | nicegui | >= 0 < 3.4.0 | 3.4.0 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
NiceGUI has a path traversal in app.add_media_files() allows arbitrary file read
osv·2025-12-09
CVE-2025-66645 [HIGH] NiceGUI has a path traversal in app.add_media_files() allows arbitrary file read
NiceGUI has a path traversal in app.add_media_files() allows arbitrary file read
### Summary
A directory traversal vulnerability in NiceGUI's `App.add_media_files()` allows a remote attacker to read arbitrary files on the server filesystem.
### Details
Hello, I am Seungbin Yang, a university student studying cybersecurity.
While reviewing the source code of the repository, I discovered a potential vulnerability and successfully verified it with a PoC.
The `App.add_media_files(url_path, local_directory)` method allows users to serve media files. However, the implementation lacks proper path validation.
```python
def add_media_files(self, url_path: str, local_directory: Union[str, Path]) -> None:
@self.get(url_path.rstrip('/') + '/{filename:path}')
def read_item(request: Request, filen
GHSA
NiceGUI has a path traversal in app.add_media_files() allows arbitrary file read
ghsa·2025-12-09
CVE-2025-66645 [HIGH] CWE-22 NiceGUI has a path traversal in app.add_media_files() allows arbitrary file read
NiceGUI has a path traversal in app.add_media_files() allows arbitrary file read
### Summary
A directory traversal vulnerability in NiceGUI's `App.add_media_files()` allows a remote attacker to read arbitrary files on the server filesystem.
### Details
Hello, I am Seungbin Yang, a university student studying cybersecurity.
While reviewing the source code of the repository, I discovered a potential vulnerability and successfully verified it with a PoC.
The `App.add_media_files(url_path, local_directory)` method allows users to serve media files. However, the implementation lacks proper path validation.
```python
def add_media_files(self, url_path: str, local_directory: Union[str, Path]) -> None:
@self.get(url_path.rstrip('/') + '/{filename:path}')
def read_item(request: Request, filen
No detection rules found.
No public exploits indexed.
2025-12-09
Published