Description
NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.
Published: 2026-03-24
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Memory Exhaustion Leading to Denial of Service
Action: Immediate Patch
AI Analysis

Impact

NiceGUI is a Python‑based UI framework whose media routes allow a user‑controlled query parameter to influence file streaming. Prior to version 3.9.0 this parameter is forwarded to the range‑response logic without validation, enabling an attacker to bypass chunked streaming and force the server to load entire media files into memory. The resulting excessive memory usage can degrade performance or trigger a denial of service.

Affected Systems

The vulnerability affects the zauberzeug NiceGUI framework. All releases older than 3.9.0 are impacted. The issue was fixed in the 3.9.0 release and is absent from subsequent versions.

Risk and Exploitability

The CVSS score of 6.9 indicates a moderate severity, while an EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog. It can be exploited by sending HTTP requests to publicly exposed media routes with a crafted query parameter that forces the server to read full files into memory, which may exhaust RAM and disrupt service.

Generated by OpenCVE AI on March 26, 2026 at 16:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update NiceGUI to version 3.9.0 or later, which removes the unvalidated chunk size parameter.
  • If an update is not immediately feasible, restrict public access to the media routes, or place a reverse proxy or firewall rule that limits or blocks requests to those endpoints, thereby preventing the vulnerability from being exercised.

Generated by OpenCVE AI on March 26, 2026 at 16:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w5g8-5849-vj76 NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion
History

Thu, 26 Mar 2026 13:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Wed, 25 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Zauberzeug
Zauberzeug nicegui
Vendors & Products Zauberzeug
Zauberzeug nicegui

Tue, 24 Mar 2026 19:45:00 +0000

Type Values Removed Values Added
Description NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.
Title NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion
Weaknesses CWE-20
CWE-770
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

Zauberzeug Nicegui
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T16:19:18.462Z

Reserved: 2026-03-18T22:15:11.812Z

Link: CVE-2026-33332

cve-icon Vulnrichment

Updated: 2026-03-25T16:19:15.730Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T20:16:28.743

Modified: 2026-03-26T12:58:50.417

Link: CVE-2026-33332

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:20:37Z

Weaknesses