Vulnerability Description
NiceGUI is an easy-to-use, Python-based UI framework. A local file inclusion is present in the NiceUI leaflet component when requesting resource files under the `/_nicegui/{__version__}/resources/{key}/{path:path}` route. As a result any file on the backend filesystem which the web server has access to can be read by an attacker with access to the NiceUI leaflet website. This vulnerability has been addressed in version 1.4.21. Users are advised to upgrade. There are no known workarounds for this vulnerability.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://github.com/zauberzeug/nicegui/commit/ed12eb14f2a6c48b388a05c04b3c5a107ea
- https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mwc7-64wg-pgvj
- https://huntr.com/bounties/29ec621a-bd69-4225-ab0f-5bb8a1d10c67
- https://github.com/zauberzeug/nicegui/commit/ed12eb14f2a6c48b388a05c04b3c5a107ea
- https://github.com/zauberzeug/nicegui/security/advisories/GHSA-mwc7-64wg-pgvj
- https://huntr.com/bounties/29ec621a-bd69-4225-ab0f-5bb8a1d10c67
FAQ
What is CVE-2024-32005?
CVE-2024-32005 is a vulnerability with a CVSS score of 8.2 (HIGH). NiceGUI is an easy-to-use, Python-based UI framework. A local file inclusion is present in the NiceUI leaflet component when requesting resource files under the `/_nicegui/{__version__}/resources/{key...
How severe is CVE-2024-32005?
CVE-2024-32005 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2024-32005?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.