Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
2Blast Radius
ecosystem impact- 1 pypi packages depend on nicegui (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 3.12.0.
DescriptionGitHub Advisory
Summary
Two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette's FileResponse, which Uvicorn writes to the server log as a full traceback. Because the routes are reachable without authentication, a remote attacker can amplify log volume and consume disk and log-pipeline capacity on any publicly reachable NiceGUI server. There is no impact to confidentiality or integrity.
Details
The affected routes are the per-component resource route (added in v1.4.6) and the ESM module route (added in v3.0.0). Both join a user-supplied path segment with a registered base directory and pass the result to FileResponse. The existing existence check uses pathlib.Path.exists(), which returns True for directories - so a request whose sub-path resolves to a directory passes the guard and triggers an unhandled exception inside Starlette.
FastAPI has no default handler for RuntimeError, so each such request results in a 500 response and a multi-frame traceback in the server log.
Other NiceGUI-served paths (/static/..., /components/..., /libraries/...) are not affected; they do not use the same sub-path-to-FileResponse pattern.
Impact
A remote, unauthenticated attacker can repeatedly trigger the error condition with crafted requests. Each request emits roughly 100 lines of traceback in a default setup, and more when additional middleware layers are present. At sustained request rates this can:
- exhaust disk space on hosts with default log retention,
- saturate downstream log-shipping pipelines,
- generate alert fatigue or mask other events in monitoring.
There is no remote code execution, no path traversal, and no data exposure beyond the absolute installation path that already appears in any uncaught exception trace.
Workarounds
For deployments that cannot upgrade immediately:
- Place NiceGUI behind a reverse proxy that rejects requests where the path after
/_nicegui/<version>/esm/<key>/or/_nicegui/<version>/resources/<key>/is empty. - Rate-limit the
/_nicegui/prefix at the proxy. - Configure log rotation aggressively for the affected service.
AnalysisAI
Log-volume denial of service in NiceGUI's dynamic static-asset routes allows remote unauthenticated attackers to flood server logs and exhaust disk or log-pipeline capacity. The two affected routes - the per-component resource route (introduced in v1.4.6) and the ESM module route (introduced in v3.0.0) - fail to distinguish directories from files before passing user-controlled paths to Starlette's FileResponse, triggering an unhandled RuntimeError that Uvicorn logs as a full multi-frame traceback (~100 lines per request). Versions up to and including 3.11.1 are affected; the fix is available in 3.12.0. No public exploit or CISA KEV listing has been identified at time of analysis. IMPORTANT: The provided tags (RCE, Path Traversal, Information Disclosure) are directly contradicted by the advisory, which explicitly states there is no remote code execution, no path traversal, and no data exposure - these tags should be treated as erroneous metadata.
Technical ContextAI
NiceGUI is a Python web UI framework built on FastAPI and Starlette, served by Uvicorn. The two affected routes construct filesystem paths by joining a user-supplied sub-path segment with a registered base directory, then call pathlib.Path.exists() as a guard before invoking Starlette's FileResponse. The flaw (CWE-248: Uncaught Exception) lies in pathlib.Path.exists() returning True for both files and directories - FileResponse is designed exclusively for files and raises a RuntimeError when handed a directory path. Because FastAPI has no default handler for RuntimeError (as opposed to HTTPException), the exception propagates to Uvicorn unhandled, producing a 500 response to the client and a full Python traceback in the server log. The affected package is pkg:pip/nicegui, versions <= 3.11.1. Other NiceGUI-served prefixes (/static/, /components/, /libraries/) do not share this sub-path-to-FileResponse pattern and are not affected.
RemediationAI
The primary remediation is to upgrade NiceGUI to version 3.12.0, which resolves the unhandled exception in both the resource and ESM module routes (vendor-released patch: 3.12.0, per GHSA-pq7c-x8g4-rvp6 at https://github.com/zauberzeug/nicegui/security/advisories/GHSA-pq7c-x8g4-rvp6). For deployments that cannot upgrade immediately, three compensating controls are available with noted trade-offs: (1) Configure a reverse proxy (nginx, Caddy, Traefik) to reject requests where the sub-path after /_nicegui/<version>/esm/<key>/ or /_nicegui/<version>/resources/<key>/ is empty - this blocks the specific directory-trigger pattern but requires accurate path matching and maintenance as NiceGUI versions change; (2) Rate-limit all requests to the /_nicegui/ prefix at the proxy layer, which reduces amplification impact but does not eliminate the error condition and may affect legitimate asset loading under high concurrency; (3) Configure aggressive log rotation (e.g., logrotate with size-based triggers, or Uvicorn log level raised to ERROR) - this bounds disk exhaustion but does not prevent log-pipeline saturation and may reduce observability for other events.
Same weakness CWE-248 – Uncaught Exception
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33965
GHSA-pq7c-x8g4-rvp6