CVE-2025-66470 – NiceGUI versions 3.3.1 and below contain a cros... (How to Fix)

📋 TL;DR

NiceGUI versions 3.3.1 and below contain a cross-site scripting (XSS) vulnerability in the ui.interactive_image component. Attackers can inject malicious JavaScript via SVG foreignObject tags when rendering user-generated content, potentially compromising user sessions. This affects any application using NiceGUI for dashboards or multi-user interfaces with untrusted content.

💻 Affected Systems

Products:

NiceGUI

Versions: 3.3.1 and below

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using the ui.interactive_image component with untrusted SVG content. Applications without user-generated content or that don't use this component are not vulnerable.

📦 What is this software?

Nicegui by Zauberzeug

View all CVEs affecting Nicegui →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full account takeover, data theft, or malware distribution to all users viewing malicious content, potentially leading to complete system compromise if admin accounts are affected.

🟠

Likely Case

Session hijacking, credential theft, or unauthorized actions performed in the context of logged-in users viewing attacker-controlled content.

🟢

If Mitigated

Limited impact with proper input validation and output encoding, potentially only affecting users who directly interact with malicious content.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires the attacker to supply malicious SVG content that gets rendered via the vulnerable component. Public advisory includes technical details sufficient for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.4.0

Vendor Advisory: https://github.com/zauberzeug/nicegui/security/advisories/GHSA-2m4f-cg75-76w2

Restart Required: Yes

Instructions:

1. Update NiceGUI to version 3.4.0 or higher using pip: pip install --upgrade nicegui>=3.4.0
2. Restart all NiceGUI applications
3. Verify the update was successful

🔧 Temporary Workarounds

Input Validation for SVG Content

all

Implement strict input validation to reject or sanitize SVG content containing foreignObject tags before passing to ui.interactive_image

Disable Interactive Image Component

all

Remove or disable usage of ui.interactive_image component if not essential

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Isolate NiceGUI applications behind reverse proxies with additional XSS filtering

🔍 How to Verify

Check if Vulnerable:

Check if NiceGUI version is 3.3.1 or below and application uses ui.interactive_image with untrusted SVG content

Check Version:

python -c "import nicegui; print(nicegui.__version__)"

Verify Fix Applied:

Verify NiceGUI version is 3.4.0 or higher and test that SVG foreignObject tags no longer execute JavaScript

📡 Detection & Monitoring

Log Indicators:

Unusual SVG content with foreignObject tags in user inputs
Multiple failed attempts to inject script tags

Network Indicators:

Unexpected JavaScript execution from SVG content
Suspicious content-type headers for SVG responses

SIEM Query:

source="web_logs" AND (svg_content CONTAINS "foreignObject" OR svg_content CONTAINS "<script>")

📊 Metadata

CVE ID: CVE-2025-66470

CVSS v3 Score: 6.1 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

EPSS Score: 0.02% exploit probability (2.6th percentile)

Published: December 9, 2025

Last Updated: December 11, 2025

🔗 References

https://github.com/zauberzeug/nicegui/commit/58ad0b36e19922de16bbc79ea3ddd29851b1a3e3 Patch
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-2m4f-cg75-76w2 Exploit,Vendor Advisory
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-2m4f-cg75-76w2 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66470, you might also want to check these: