Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-33332

NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion
Back to all
CVE

CVE-2026-33332

NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion

Summary

NiceGUI's app.addmediafile() and app.addmediafiles() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once.

With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service.

Impact

Affected applications: NiceGUI applications that serve media content via app.addmediafile() or app.addmediafiles(), particularly those serving large files (video, audio).

What an attacker can do:

  • Force the server to load entire files into memory instead of streaming them in chunks
  • Amplify memory usage with concurrent requests to large media files
  • Cause performance degradation, memory pressure, and potential OOM conditions

Attack difficulty: Low - requires only a crafted query parameter.

Remediation

Upgrade to a patched version of NiceGUI.

As a workaround, restrict access to media endpoints or strip unexpected query parameters at a reverse proxy layer.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
6.9
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
C
H
U
7.5
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Related Resources

No items found.

References

https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76, https://nvd.nist.gov/vuln/detail/CVE-2026-33332, https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b, https://github.com/zauberzeug/nicegui, https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0

Severity

7.5

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.5
EPSS Probability
0.00047%
EPSS Percentile
0.14525%
Introduced Version
0,1.4.9,1.4.0,1.2.18
Fix Available
3.9.0

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading