CVE-2026-21874
📋 TL;DR
This vulnerability allows unauthenticated attackers to exhaust Redis connections by repeatedly opening and closing browser tabs on NiceGUI applications using Redis-backed storage. Affected users are those running NiceGUI versions v2.10.0 through 3.4.1 with Redis storage enabled. The vulnerability leads to service degradation when Redis hits its connection limit.
💻 Affected Systems
- NiceGUI
📦 What is this software?
Nicegui by Zauberzeug
⚠️ Risk & Real-World Impact
Worst Case
Complete denial of service for Redis-backed storage functionality, potentially affecting application data persistence and user sessions while the application remains running with broken storage.
Likely Case
Service degradation with Redis connection exhaustion, causing storage operations to fail and errors to accumulate in logs while the application interface remains accessible.
If Mitigated
Minimal impact with proper connection management and monitoring in place, though some performance degradation may still occur during attack attempts.
🎯 Exploit Status
Exploitation requires no authentication and can be performed by any user accessing the application interface. Simple script can automate tab opening/closing.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: v3.5.0
Vendor Advisory: https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mp55-g7pj-rvm2
Restart Required: Yes
Instructions:
1. Update NiceGUI to version 3.5.0 or later using pip: pip install --upgrade nicegui>=3.5.0
2. Restart the NiceGUI application
3. Verify the update with: python -c "import nicegui; print(nicegui.__version__)"
🔧 Temporary Workarounds
Switch to alternative storage backend
allTemporarily switch from Redis-backed storage to another supported storage backend like filesystem or in-memory storage.
Modify NiceGUI configuration to use storage_type other than 'redis'
Implement Redis connection limits
linuxConfigure Redis server with connection limits and implement connection pooling with proper cleanup.
redis-cli CONFIG SET maxclients 10000
Implement connection pooling in application code
🧯 If You Can't Patch
- Implement rate limiting or WAF rules to limit rapid tab opening/closing requests
- Monitor Redis connection counts and implement alerts for abnormal connection growth
🔍 How to Verify
Check if Vulnerable:
Check NiceGUI version and Redis storage configuration. If version is between 2.10.0 and 3.4.1 and using Redis storage, the system is vulnerable.Check Version:
python -c "import nicegui; print(nicegui.__version__)"Verify Fix Applied:
Verify NiceGUI version is 3.5.0 or later and test Redis connection cleanup by monitoring connections during tab operations.📡 Detection & Monitoring
Log Indicators:
- Redis connection errors in application logs
- Rapid increase in Redis connections
- Storage operation failures
Network Indicators:
- Abnormal number of HTTP requests for tab operations
- Redis connection spikes
SIEM Query:
source="nicegui.log" AND ("redis connection" OR "connection limit" OR "storage error")