CVE-2026-25732
📋 TL;DR
This vulnerability in NiceGUI allows attackers to perform path traversal attacks by uploading files with malicious filenames containing '../' sequences. When developers use the vulnerable pattern of concatenating UPLOAD_DIR with file.name without sanitization, attackers can write files outside intended directories. This affects applications using NiceGUI versions before 3.7.0 that follow this common but insecure pattern.
💻 Affected Systems
- NiceGUI
📦 What is this software?
Nicegui by Zauberzeug
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution through overwriting critical application files, configuration files, or system files in vulnerable deployments.
Likely Case
Arbitrary file write outside intended upload directory, potentially leading to data corruption, denial of service, or privilege escalation.
If Mitigated
No impact if applications use fixed paths, generated filenames, or proper sanitization before using file.name in filesystem operations.
🎯 Exploit Status
Exploitation requires the application to use the vulnerable pattern. The vulnerability itself is simple to exploit once the pattern is identified.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.7.0
Vendor Advisory: https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh
Restart Required: Yes
Instructions:
1. Update NiceGUI to version 3.7.0 or later using pip: 'pip install --upgrade nicegui>=3.7.0' 2. Restart your application to ensure the new version is loaded.
🔧 Temporary Workarounds
Implement filename sanitization
allManually sanitize uploaded filenames before using them in filesystem paths
import os
import re
from pathlib import Path
# Sanitize filename
def sanitize_filename(filename):
# Remove path traversal sequences
filename = os.path.basename(filename)
# Remove any remaining ../ or ./ sequences
filename = re.sub(r'\.\./|\./', '', filename)
return filename
# Usage in upload handler
sanitized_name = sanitize_filename(file.name)
safe_path = UPLOAD_DIR / sanitized_name
Use generated filenames
allGenerate unique filenames instead of using client-supplied names
import uuid
from pathlib import Path
# Generate unique filename
def generate_filename(original_name):
ext = Path(original_name).suffix
unique_name = f"{uuid.uuid4()}{ext}"
return unique_name
# Usage in upload handler
generated_name = generate_filename(file.name)
safe_path = UPLOAD_DIR / generated_name
🧯 If You Can't Patch
- Review all file upload handlers and ensure they don't use 'file.name' directly in path concatenation
- Implement server-side validation that rejects filenames containing '../', '..\\', or other path traversal sequences
🔍 How to Verify
Check if Vulnerable:
Check if your application code uses patterns like 'UPLOAD_DIR / file.name' or similar concatenation with file.name without sanitizationCheck Version:
python -c "import nicegui; print(nicegui.__version__)"Verify Fix Applied:
After updating to 3.7.0+, verify that file upload functionality still works and test with malicious filenames containing '../' sequences📡 Detection & Monitoring
Log Indicators:
- Multiple failed upload attempts with filenames containing '../' or '..\\' sequences
- File write operations outside expected upload directories
Network Indicators:
- HTTP POST requests to upload endpoints with filenames containing path traversal sequences
SIEM Query:
source="web_logs" AND (filename="*../*" OR filename="*..\\*") AND method="POST" AND uri="*/upload*"