CVE-2026-25732: NiceGUI's Path Traversal via Unsanitized FileUpload.name Enables Arbitrary File Write
NiceGUI’s FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns.
Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected.
References
- github.com/advisories/GHSA-9ffm-fxg3-xrhh
- github.com/zauberzeug/nicegui
- github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py
- github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py
- github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh
- nvd.nist.gov/vuln/detail/CVE-2026-25732
Code Behaviors & Features
Detect and mitigate CVE-2026-25732 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →