PT-2026-41779 · Git+2 · Nicegui
Bitinerant
+1
·
Published
2026-05-18
·
Updated
2026-06-02
·
CVE-2026-45554
CVSS v3.1
5.3
Medium
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L |
Name of the Vulnerable Software and Affected Versions
NiceGUI versions prior to 3.12.0
Description
Two FastAPI routes used for serving per-component static assets accept a sub-path parameter that can resolve to a directory instead of a file. When a request resolves to a directory, it triggers an unhandled
RuntimeError within Starlette's FileResponse function, causing Uvicorn to write a full traceback to the server log. Since these routes are accessible without authentication, a remote attacker can send crafted requests to amplify log volume, potentially exhausting disk space, saturating log-shipping pipelines, and causing alert fatigue. The affected endpoints are the resource route and the ESM module route, specifically where user-supplied path segments are joined with a registered base directory. This issue does not result in remote code execution, path traversal, or data exposure.Recommendations
Update to version 3.12.0.
As a temporary workaround, place the software behind a reverse proxy to reject requests where the path after
/ nicegui/<version>/esm/<key>/ or / nicegui/<version>/resources/<key>/ is empty.
Rate-limit the / nicegui/ prefix at the proxy level.
Configure aggressive log rotation for the affected service.Exploit
Fix
Allocation of Resources Without Limits
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Nicegui