PT-2026-41779 · Git+2 · Nicegui

Bitinerant

+1

·

Published

2026-05-18

·

Updated

2026-06-02

·

CVE-2026-45554

CVSS v3.1

5.3

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Name of the Vulnerable Software and Affected Versions NiceGUI versions prior to 3.12.0
Description Two FastAPI routes used for serving per-component static assets accept a sub-path parameter that can resolve to a directory instead of a file. When a request resolves to a directory, it triggers an unhandled RuntimeError within Starlette's FileResponse function, causing Uvicorn to write a full traceback to the server log. Since these routes are accessible without authentication, a remote attacker can send crafted requests to amplify log volume, potentially exhausting disk space, saturating log-shipping pipelines, and causing alert fatigue. The affected endpoints are the resource route and the ESM module route, specifically where user-supplied path segments are joined with a registered base directory. This issue does not result in remote code execution, path traversal, or data exposure.
Recommendations Update to version 3.12.0. As a temporary workaround, place the software behind a reverse proxy to reject requests where the path after / nicegui/<version>/esm/<key>/ or / nicegui/<version>/resources/<key>/ is empty. Rate-limit the / nicegui/ prefix at the proxy level. Configure aggressive log rotation for the affected service.

Exploit

Fix

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45554
GHSA-PQ7C-X8G4-RVP6

Affected Products

Nicegui