Nixpkgs security tracker

Login with GitHub

⚠️ You are using a production deployment that is still only suitable for demo purposes. Any work done in this might be wiped later without notice.

Suggestion detail

Untriaged

Permalink CVE-2026-25732

7.5 HIGH

CVSS version: 3.1
Attack vector (AV): NETWORK
Attack complexity (AC): LOW
Privileges required (PR): NONE
User interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality impact (C): NONE
Integrity impact (I): HIGH
Availability impact (A): NONE

created 2 months ago

NiceGUI's Path Traversal via Unsanitized FileUpload.name Enables Arbitrary File Write

NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0.

References

https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh x_refsource_CONFIRM
https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115 x_refsource_MISC
https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82 x_refsource_MISC
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh x_refsource_CONFIRM
https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115 x_refsource_MISC
https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82 x_refsource_MISC

Affected products

nicegui

==< 3.7.0

Matching in nixpkgs

pkgs.python312Packages.nicegui

Module to create web-based user interfaces

nixos-unstable 2.22.1
nixos-25.11 3.1.0
- nixpkgs-25.11-darwin 3.1.0

pkgs.python313Packages.nicegui

Module to create web-based user interfaces

nixos-unstable 2.22.1
- nixpkgs-unstable 3.6.1
- nixos-unstable-small 3.6.1
nixos-25.11 3.1.0
- nixpkgs-25.11-darwin 3.1.0

pkgs.python314Packages.nicegui

Module to create web-based user interfaces

nixos-unstable -
- nixpkgs-unstable 3.6.1
- nixos-unstable-small 3.6.1

pkgs.python312Packages.nicegui-highcharts

NiceGUI with support for Highcharts

nixos-unstable 2.1.0
nixos-25.11 3.1.0
- nixpkgs-25.11-darwin 3.1.0

pkgs.python313Packages.nicegui-highcharts

NiceGUI with support for Highcharts

nixos-unstable 2.1.0
- nixpkgs-unstable 3.1.0
- nixos-unstable-small 3.1.0
nixos-25.11 3.1.0
- nixpkgs-25.11-darwin 3.1.0

pkgs.python314Packages.nicegui-highcharts

NiceGUI with support for Highcharts

nixos-unstable -
- nixpkgs-unstable 3.1.0
- nixos-unstable-small 3.1.0

Package maintainers

@fabaff Fabian Affolter <mail@fabian-affolter.ch>