NiceGUI’s unvalidated chunk size parameter in media routes can cause...

6.9 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Description

NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.

Basic Information

ID CVE-2026-33332

Source GitHub_M

Published Mar 24, 2026 at 19:20

Modified Mar 25, 2026 at 16:19

Affected Product

Vendor zauberzeug

Product nicegui

Version < 3.9.0

Affected Versions zauberzeug nicegui < 3.9.0

CWE Classification

CWE-20 CWE-770

References

{
    "lastseen": "",
    "description": "NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.",
    "published": "2026-03-24T19:20:53.386Z",
    "modified": "2026-03-25T16:19:18.462Z",
    "type": "cve",
    "title": "NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion",
    "source": "GitHub_M",
    "references": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76\nhttps://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b\nhttps://github.com/zauberzeug/nicegui/releases/tag/v3.9.0",
    "id": "CVE-2026-33332",
    "bulletinFamily": "",
    "cwe": [
        "CWE-20",
        "CWE-770"
    ],
    "cvelist": null,
    "sourceData": "zauberzeug nicegui < 3.9.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.9,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "nicegui",
    "version": "< 3.9.0",
    "vendor": "zauberzeug",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

NiceGUI’s unvalidated chunk size parameter in media routes can cause memory exhaustion_CVE-2026-33332