CVE-2024-32005

CVSS v3.1

8.2

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

Name of the Vulnerable Software and Affected Versions NiceGUI versions prior to 1.4.21

Description A local file inclusion is present in the NiceUI leaflet component when requesting resource files under the / nicegui/{ version }/resources/{key}/{path:path} route. As a result, any file on the backend filesystem that the web server has access to can be read by an attacker with access to the NiceUI leaflet website.

Recommendations For versions prior to 1.4.21, upgrade to version 1.4.21 or later to address the vulnerability. As a temporary workaround, consider restricting access to the / nicegui/{ version }/resources/{key}/{path:path} route until the upgrade is applied.

Exploit

Fix

Path traversal

Relative Path Traversal

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-23

Related Identifiers

CVE-2024-32005

GHSA-MWC7-64WG-PGVJ

Affected Products

Nicegui

CVE-2024-32005

Weakness Enumeration

Related Identifiers

Affected Products

References · 11