CVE-2025-66470
NiceGUI Stored/Reflected XSS in ui.interactive_image via unsanitized SVG content
Description
### Summary A Cross-Site Scripting (XSS) vulnerability exists in the `ui.interactive_image` component of NiceGUI (v3.3.1 and earlier). The component renders SVG content using Vue's `v-html` directive without any sanitization. This allows attackers to inject malicious HTML or JavaScript via the SVG `<foreignObject>` tag. ### Details The vulnerability is located in `nicegui/elements/interactive_image.js`. The component uses the following code to render content: ```javascript <g v-html="content"></g> ``` Vue's v-html directive renders raw HTML strings into the DOM. If an application allows user-controlled input to be passed to the content property of an interactive image, an attacker can embed a <foreignObject> tag containing malicious scripts, bypassing typical image restrictions. ### PoC ```python from nicegui import ui @ui.page('/') def main(): ui.label('NiceGUI SVG XSS PoC') # Standard image loading img = ui.interactive_image('[https://picsum.photos/640/360](https://picsum.photos/640/360)') # Payload: Embeds raw HTML execution inside SVG # This executes immediately when the image component is rendered img.content = ( '<foreignObject>' '<body xmlns="[http://www.w3.org/1999/xhtml](http://www.w3.org/1999/xhtml)">' '<img src=x onerror=alert("XSS-SVG")>' '</body>' '</foreignObject>' ) ui.run() ``` ### Impact - Type: Reflected / Stored XSS (depending on data source) - Severity: Moderate - Impact: Attackers can inject malicious scripts that execute whenever the image component is rendered or updated. This is particularly dangerous for dashboards or multi-user applications displaying user-generated content or annotations.
How to fix CVE-2025-66470
To remediate CVE-2025-66470, upgrade the affected package to a fixed version below.
- —upgrade to 3.4.0 or later
Is CVE-2025-66470 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.