CVE-2025-21618
📋 TL;DR
NiceGUI versions before 2.9.1 have an authentication bypass vulnerability where logging in from one browser automatically authenticates all browsers, including incognito/private mode sessions. This affects all NiceGUI applications using authentication features. Attackers can gain unauthorized access to authenticated sessions without credentials.
💻 Affected Systems
- NiceGUI
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete account takeover across all user sessions, allowing attackers to access sensitive data, perform unauthorized actions, and potentially escalate privileges within the application.
Likely Case
Unauthorized access to user accounts and data by anyone with network access to the NiceGUI application, leading to data exposure and potential manipulation.
If Mitigated
Limited impact if application is behind strong network controls, uses additional authentication layers, or doesn't handle sensitive data.
🎯 Exploit Status
Exploitation requires access to the NiceGUI application and understanding of its authentication flow. No authentication needed to trigger the vulnerability once initial login occurs.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.9.1
Vendor Advisory: https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v6jv-p6r8-j78w
Restart Required: No
Instructions:
1. Update NiceGUI: pip install --upgrade nicegui==2.9.1
2. Verify the update: pip show nicegui
3. Restart your NiceGUI application
4. Test authentication across different browsers to confirm isolation
🔧 Temporary Workarounds
Implement session isolation middleware
allAdd custom middleware to enforce session isolation between browsers
# Add custom session handling in your NiceGUI app
# This requires modifying application code to track sessions per browser
🧯 If You Can't Patch
- Implement network-level access controls to restrict application access to trusted users only
- Add additional authentication layers (2FA, IP whitelisting, VPN requirements) to compensate for the session isolation flaw
🔍 How to Verify
Check if Vulnerable:
Check NiceGUI version: pip show nicegui | grep Version. If version is less than 2.9.1 and your app uses authentication, you are vulnerable.Check Version:
pip show nicegui | grep VersionVerify Fix Applied:
1. Update to 2.9.1
2. Test by logging in from one browser, then try accessing the same application from a different browser or incognito mode
3. Verify that the second browser requires separate authentication📡 Detection & Monitoring
Log Indicators:
- Multiple successful logins from different user agents/IPs with same session token
- Authentication events without preceding login requests for new browsers
Network Indicators:
- Unauthenticated requests accessing authenticated endpoints from new browser sessions
SIEM Query:
source="nicegui" AND (event="authentication_success" OR event="session_created") | stats count by user, user_agent, src_ip | where count > 1