Khaliun-Sw1

**Name of the Vulnerable Software and Affected Versions** NiceGUI versions prior to 3.9.0 **Description** NiceGUI’s `app.add media file()` and `app.add media files()` functions are susceptible to a flaw where a user-controlled query parameter, passed to the range-response implementation without validation, can bypass chunked streaming. This allows an attacker to force the server to load entire files into memory. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. The vulnerable functions are used for serving media content. The parameter is passed to the `range-response` implementation. **Recommendations** Upgrade to NiceGUI version 3.9.0 or later. As a workaround, restrict access to media endpoints. As a workaround, strip unexpected query parameters at a reverse proxy layer.