CVE-2026-33332

NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion

CVSS 6.9 MEDIUMEPSS 0.6%CWE-20 CWE-770

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 6.9EPSS 0.6%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

24 mar 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Productos afectados

zauberzeug · nicegui

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0 https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76