EUVD-2026-20610

Description

### Summary The upload filename sanitization introduced in GHSA-9ffm-fxg3-xrhh uses `PurePosixPath(filename).name` to strip path components. Since `PurePosixPath` only recognizes forward slashes (`/`) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (`\`) in the upload filename. Applications that construct file paths using `file.name` (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows. ### Details The sanitization in `nicegui/elements/upload_files.py` uses: ```python filename = PurePosixPath(upload.filename or '').name ``` `PurePosixPath` treats backslashes as literal characters, not path separators: ```python >>> PurePosixPath('..\\..\\secret\\evil.txt').name '..\\..\\secret\\evil.txt' # Not stripped! ``` When this filename is used in a path operation on Windows (e.g., `Path('uploads') / file.name`), Windows `Path` interprets backslashes as directory separators, resolving the path outside the intended directory. ### Impact On Windows deployments of NiceGUI applications that use `file.name` in path construction: - **Arbitrary file write** outside the intended upload directory - **Potential remote code execution** through overwriting application files or placing executables in known locations - **Data integrity loss** through overwriting existing files Linux and macOS are not affected, as they treat backslashes as literal filename characters.

Priority Score