CVE-2025-66469 – NiceGUI versions 3.3.1 and below are vulnerable... (How to Fix)

📋 TL;DR

NiceGUI versions 3.3.1 and below are vulnerable to Reflected Cross-Site Scripting (XSS) through the ui.add_css, ui.add_scss, and ui.add_sass functions. Attackers can inject malicious JavaScript by breaking out of style/script tags, potentially compromising user sessions or performing actions on behalf of users. This affects any application using these vulnerable NiceGUI functions.

💻 Affected Systems

Products:

NiceGUI

Versions: 3.3.1 and below

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using ui.add_css, ui.add_scss, or ui.add_sass functions with user-controlled input.

📦 What is this software?

Nicegui by Zauberzeug

View all CVEs affecting Nicegui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers execute arbitrary JavaScript in users' browsers, potentially stealing session cookies, performing actions as authenticated users, or redirecting to malicious sites.

🟠

Likely Case

Session hijacking, credential theft, or defacement of the application interface through injected malicious scripts.

🟢

If Mitigated

Limited impact with proper Content Security Policy (CSP) headers and input validation, though the vulnerability still exists.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires user interaction (clicking a malicious link) but is technically simple once the injection vector is identified.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.0

Vendor Advisory: https://github.com/zauberzeug/nicegui/security/advisories/GHSA-72qc-wxch-74mg

Restart Required: Yes

Instructions:

1. Update NiceGUI to version 3.4.0 or higher using pip: pip install --upgrade nicegui==3.4.0
2. Restart your application to apply the fix.

🔧 Temporary Workarounds

Input Validation

all

Implement strict input validation for parameters passed to ui.add_css, ui.add_scss, and ui.add_sass functions.

Content Security Policy

all

Implement strict CSP headers to prevent execution of injected scripts.

🧯 If You Can't Patch

Disable or restrict usage of ui.add_css, ui.add_scss, and ui.add_sass functions with user input
Implement web application firewall (WAF) rules to detect and block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check if your NiceGUI version is 3.3.1 or below and if you use ui.add_css, ui.add_scss, or ui.add_sass with user-controlled input.

Check Version:

python -c "import nicegui; print(nicegui.__version__)"

Verify Fix Applied:

Verify NiceGUI version is 3.4.0 or higher and test that user input to the affected functions no longer executes JavaScript.

📡 Detection & Monitoring

Log Indicators:

Unusual patterns in CSS/SCSS/SASS function calls
Requests containing script or style closing tags in parameters

Network Indicators:

HTTP requests with suspicious payloads in query parameters or POST data

SIEM Query:

source="web_logs" AND (uri_query="*</script>*" OR uri_query="*</style>*" OR post_data="*</script>*" OR post_data="*</style>*")

📊 Metadata

CVE ID: CVE-2025-66469

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.06% exploit probability (20th percentile)

Published: December 9, 2025

Last Updated: December 11, 2025

🔗 References

https://github.com/zauberzeug/nicegui/commit/a8fd25b7d5e23afb1952d0f60a1940e18b5f1ca8 Patch
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-72qc-wxch-74mg Exploit,Vendor Advisory
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-72qc-wxch-74mg Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66469, you might also want to check these: