CVE-2025-66469: NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection

December 8, 2025 (updated December 9, 2025)

A Cross-Site Scripting (XSS) vulnerability exists in ui.add_css, ui.add_scss, and ui.add_sass functions in NiceGUI (v3.3.1 and earlier).

These functions allow developers to inject styles dynamically. However, they lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended <style> or <script> tags by injecting closing tags (e.g., </style> or </script>), allowing for the execution of arbitrary JavaScript.

References

github.com/advisories/GHSA-72qc-wxch-74mg
github.com/zauberzeug/nicegui
github.com/zauberzeug/nicegui/commit/a8fd25b7d5e23afb1952d0f60a1940e18b5f1ca8
github.com/zauberzeug/nicegui/security/advisories/GHSA-72qc-wxch-74mg
nvd.nist.gov/vuln/detail/CVE-2025-66469

Code Behaviors & Features

Detect and mitigate CVE-2025-66469 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →