Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 1 pypi packages depend on nicegui (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 3.12.0.
DescriptionGitHub Advisory
Summary
ui.restructured_text() renders reStructuredText server-side with Docutils without disabling file insertion directives.
When a NiceGUI application passes attacker-controlled content to ui.restructured_text(), an attacker can use standard Docutils directives (include, csv-table with :file:, raw with :file:) to read local files readable by the NiceGUI server process.
Applications that only pass trusted static strings to ui.restructured_text() are not affected.
Details
The affected component is the reStructuredText renderer:
- File:
nicegui/elements/restructured_text.py - Function:
prepare_content()
prepare_content() renders user-supplied reStructuredText through Docutils:
html = publish_parts(
remove_indentation(content),
writer_name='html4',
settings_overrides={'syntax_highlight': 'short'},
)The Docutils call only sets syntax_highlight. It does not disable file insertion or raw directives, so Docutils processes directives that read local files and embed their contents into the generated HTML before it is returned to the browser. Frontend sanitization cannot prevent this because the file has already been read server-side.
A minimal vulnerable usage pattern is any page that forwards untrusted input into ui.restructured_text(), e.g. content taken from query parameters, form fields, or other user-controlled sources.
Impact
Local file disclosure. An attacker who can supply reStructuredText content can read files accessible to the NiceGUI server process. Depending on deployment, this may expose:
- application
.envfiles - database URLs, API tokens, session/storage secrets
- OAuth or cloud credentials
- Docker or Kubernetes mounted secrets
- application source files
- logs and other process-readable files
The confirmed impact is confidentiality loss through arbitrary local file read. Applications are only impacted when they pass untrusted or user-controlled reStructuredText into ui.restructured_text().
Recommended fix
Disable unsafe Docutils features in prepare_content():
html = publish_parts(
remove_indentation(content),
writer_name='html4',
settings_overrides={
'syntax_highlight': 'short',
'file_insertion_enabled': False,
'raw_enabled': False,
'_disable_config': True,
},
)This blocks the include, csv-table :file:, and raw :file: directives as well as local docutils.conf overrides.
AnalysisAI
Local file disclosure in NiceGUI versions <= 3.11.1 allows remote unauthenticated attackers to read arbitrary files accessible to the server process when applications pass user-controlled content to ui.restructured_text(). The flaw stems from Docutils being invoked without disabling file-insertion directives (include, csv-table :file:, raw :file:), enabling exfiltration of secrets, credentials, and source code. No public exploit identified at time of analysis, but the vendor advisory provides full directive-level proof patterns.
Technical ContextAI
NiceGUI is a Python-based UI framework (pkg:pip/nicegui) that wraps a server-rendered web interface. The vulnerable function prepare_content() in nicegui/elements/restructured_text.py calls Docutils' publish_parts() with only syntax_highlight set, leaving file_insertion_enabled and raw_enabled at their permissive defaults. Docutils' reStructuredText parser supports directives such as .. include::, .. csv-table:: :file:, and .. raw:: html :file:, which open and embed local filesystem content at render time. This maps to CWE-200 (Exposure of Sensitive Information) via server-side directive processing; because the file is read before HTML reaches the browser, no client-side sanitizer or CSP can block it.
RemediationAI
Vendor-released patch: NiceGUI 3.12.0 - upgrade via pip install --upgrade nicegui>=3.12.0 per the GHSA-jfrm-rx66-g536 advisory. If immediate upgrade is not possible, the workaround is to stop passing any untrusted input to ui.restructured_text() (sanitize or hard-code the rstcontent) or monkey-patch prepare_content() to call publish_parts with settings_overrides including file_insertion_enabled=False, raw_enabled=False, and _disable_config=True - this disables the include, csv-table :file:, and raw :file: directives and prevents local docutils.conf overrides, with the trade-off that legitimate file-include directives in trusted documents will also stop working. As a deployment-layer compensating control, run the NiceGUI process under a least-privileged user account in a chrooted/containerized filesystem so that even if exploitation occurs, sensitive files like .env, cloud credentials, and mounted Kubernetes secrets are not readable; note this does not eliminate the vulnerability and may break apps that rely on broader filesystem access.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same weakness CWE-200 – Information Exposure
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33963
GHSA-jfrm-rx66-g536