CVE-2024-32005 — NiceGUI allows potential access to local file system

Description

NiceGUI is an easy-to-use, Python-based UI framework. A local file inclusion is present in the NiceUI leaflet component when requesting resource files under the `/_nicegui/{__version__}/resources/{key}/{path:path}` route. As a result any file on the backend filesystem which the web server has access to can be read by an attacker with access to the NiceUI leaflet website. This vulnerability has been addressed in version 1.4.21. Users are advised to upgrade. There are no known workarounds for this vulnerability.

How to fix CVE-2024-32005

To remediate CVE-2024-32005, upgrade the affected package to a fixed version below.

—upgrade to 1.4.21 or later

Is CVE-2024-32005 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.4.6, < 1.4.21

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-32005
PATCHgithub.com/zauberzeug/nicegui
WEBgithub.com/zauberzeug/nicegui/commit/ed12eb14f2a6c48b388a05c04b3c5a107ea9d330
WEBgithub.com/zauberzeug/nicegui/security/advisories/GHSA-mwc7-64wg-pgvj