CVE-2026-33332

Name of the Vulnerable Software and Affected Versions NiceGUI versions prior to 3.9.0

Description NiceGUI’s app.add media file() and app.add media files() functions are susceptible to a flaw where a user-controlled query parameter, passed to the range-response implementation without validation, can bypass chunked streaming. This allows an attacker to force the server to load entire files into memory. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. The vulnerable functions are used for serving media content. The parameter is passed to the range-response implementation.

Recommendations Upgrade to NiceGUI version 3.9.0 or later. As a workaround, restrict access to media endpoints. As a workaround, strip unexpected query parameters at a reverse proxy layer.