7.5 HIGH
- CVSS version: 3.1
- Attack vector (AV): NETWORK
- Attack complexity (AC): LOW
- Privileges required (PR): NONE
- User interaction (UI): NONE
- Scope (S): UNCHANGED
- Confidentiality impact (C): NONE
- Integrity impact (I): HIGH
- Availability impact (A): NONE
by @LeSuisse Activity log
- Created automatic suggestion
- @LeSuisse removed package python312Packages.nicegui-highcharts
- @LeSuisse removed package python313Packages.nicegui-highcharts
- @LeSuisse removed package python314Packages.nicegui-highcharts
- @LeSuisse accepted
- @LeSuisse published on GitHub
NiceGUI's Path Traversal via Unsanitized FileUpload.name Enables Arbitrary File Write
NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.
References
-
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh x_refsource_CONFIRM
-
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh x_refsource_CONFIRM
Affected products
- ==< 3.7.0
Matching in nixpkgs
pkgs.python312Packages.nicegui
Module to create web-based user interfaces
pkgs.python313Packages.nicegui
Module to create web-based user interfaces
pkgs.python314Packages.nicegui
Module to create web-based user interfaces
Package maintainers
-
@fabaff Fabian Affolter <mail@fabian-affolter.ch>