CVE-2024-32005

HIGH

NiceGUI <1.4.21 - Local File Inclusion

Title source: llm

Description

NiceGUI is an easy-to-use, Python-based UI framework. A local file inclusion is present in the NiceUI leaflet component when requesting resource files under the `/_nicegui/{__version__}/resources/{key}/{path:path}` route. As a result any file on the backend filesystem which the web server has access to can be read by an attacker with access to the NiceUI leaflet website. This vulnerability has been addressed in version 1.4.21. Users are advised to upgrade. There are no known workarounds for this vulnerability.

References (3)

Scores

CVSS v3 8.2
EPSS 0.0006
EPSS Percentile 20.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

Classification

CWE
CWE-22 CWE-23
Status draft

Affected Products (1)

pypi/nicegui < 1.4.21PyPI

Timeline

Published Apr 12, 2024
Tracked Since Feb 18, 2026