CVE-2024-32005
Description
NiceGUI is an easy-to-use, Python-based UI framework. A local file inclusion is present in the NiceUI leaflet component when requesting resource files under the /_nicegui/{__version__}/resources/{key}/{path:path} route. As a result any file on the backend filesystem which the web server has access to can be read by an attacker with access to the NiceUI leaflet website. This vulnerability has been addressed in version 1.4.21. Users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
niceguiPyPI | >= 1.4.6, < 1.4.21 | 1.4.21 |
Patches
1ed12eb14f2a6prevent local file access (see security advisory GHSA-mwc7-64wg-pgvj)
1 file changed · +4 −0
nicegui/nicegui.py+4 −0 modified@@ -96,6 +96,10 @@ def _get_component(key: str) -> FileResponse: def _get_resource(key: str, path: str) -> FileResponse: if key in resources: filepath = resources[key].path / path + try: + filepath.resolve().relative_to(resources[key].path.resolve()) # NOTE: use is_relative_to() in Python 3.9 + except ValueError as e: + raise HTTPException(status_code=403, detail='forbidden') from e if filepath.exists(): headers = {'Cache-Control': 'public, max-age=3600'} media_type, _ = mimetypes.guess_type(filepath)
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-mwc7-64wg-pgvjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-32005ghsaADVISORY
- github.com/zauberzeug/nicegui/commit/ed12eb14f2a6c48b388a05c04b3c5a107ea9d330nvdWEB
- github.com/zauberzeug/nicegui/security/advisories/GHSA-mwc7-64wg-pgvjnvdWEB
- huntr.com/bounties/29ec621a-bd69-4225-ab0f-5bb8a1d10c67nvdWEB
News mentions
0No linked articles in our index yet.