Bitinerant

**Name of the Vulnerable Software and Affected Versions** NiceGUI versions prior to 3.12.0 **Description** Two FastAPI routes used for serving per-component static assets accept a sub-path parameter that can resolve to a directory instead of a file. When a request resolves to a directory, it triggers an unhandled `RuntimeError` within Starlette's `FileResponse` function, causing Uvicorn to write a full traceback to the server log. Since these routes are accessible without authentication, a remote attacker can send crafted requests to amplify log volume, potentially exhausting disk space, saturating log-shipping pipelines, and causing alert fatigue. The affected endpoints are the resource route and the ESM module route, specifically where user-supplied path segments are joined with a registered base directory. This issue does not result in remote code execution, path traversal, or data exposure. **Recommendations** Update to version 3.12.0. As a temporary workaround, place the software behind a reverse proxy to reject requests where the path after `/ nicegui/<version>/esm/<key>/` or `/ nicegui/<version>/resources/<key>/` is empty. Rate-limit the `/ nicegui/` prefix at the proxy level. Configure aggressive log rotation for the affected service.