ghsa-72qc-wxch-74mg
Vulnerability from github
Published
2025-12-08 21:30
Modified
2025-12-09 16:28
Severity ?
VLAI Severity ?
Summary
NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection
Details
Summary
A Cross-Site Scripting (XSS) vulnerability exists in ui.add_css, ui.add_scss, and ui.add_sass functions in NiceGUI (v3.3.1 and earlier).
These functions allow developers to inject styles dynamically. However, they lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended <style> or <script> tags by injecting closing tags (e.g., </style> or </script>), allowing for the execution of arbitrary JavaScript.
Details
The vulnerability stems from how these functions inject content into the DOM using client.run_javascript (or add_head_html internally) without sufficient escaping for the transport layer.
ui.add_css: Injects content into a<style>tag. Input containing</style>closes the tag prematurely, allowing subsequent HTML/JS injection.ui.add_scss/ui.add_sass: These rely on client-side compilation within<script>tags. Input containing</script>breaks the execution context, allowing XSS.
PoC
Scenario: A developer allows users to customize a theme color via a URL parameter.
```python from nicegui import ui
@ui.page('/') def main(color: str = 'blue'): # Vulnerable implementation of dynamic theming ui.add_css(f'.q-btn {{ background-color: {color} !important; }}') ui.button('Click Me')
ui.run(port=8082)
``
**Attack Vector:**
Accessing the following URL executes arbitrary JavaScript:http://localhost:8082/?color=red;}`
Impact
- Type: Reflected XSS
- Severity: Moderate
- Affected Components: Applications using
ui.add_css,ui.add_scss, orui.add_sasswith untrusted input (e.g., dynamic theming based on user input).
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.3.1"
},
"package": {
"ecosystem": "PyPI",
"name": "nicegui"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.4.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-66469"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-08T21:30:20Z",
"nvd_published_at": "2025-12-09T00:15:49Z",
"severity": "MODERATE"
},
"details": "### Summary\nA Cross-Site Scripting (XSS) vulnerability exists in `ui.add_css`, `ui.add_scss`, and `ui.add_sass` functions in NiceGUI (v3.3.1 and earlier).\n\nThese functions allow developers to inject styles dynamically. However, they lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended `\u003cstyle\u003e` or `\u003cscript\u003e` tags by injecting closing tags (e.g., `\u003c/style\u003e` or `\u003c/script\u003e`), allowing for the execution of arbitrary JavaScript.\n\n### Details\nThe vulnerability stems from how these functions inject content into the DOM using `client.run_javascript` (or `add_head_html` internally) without sufficient escaping for the transport layer.\n\n* **`ui.add_css`**: Injects content into a `\u003cstyle\u003e` tag. Input containing `\u003c/style\u003e` closes the tag prematurely, allowing subsequent HTML/JS injection.\n* **`ui.add_scss` / `ui.add_sass`**: These rely on client-side compilation within `\u003cscript\u003e` tags. Input containing `\u003c/script\u003e` breaks the execution context, allowing XSS.\n\n### PoC\n**Scenario:** A developer allows users to customize a theme color via a URL parameter.\n\n```python\nfrom nicegui import ui\n\n@ui.page(\u0027/\u0027)\ndef main(color: str = \u0027blue\u0027):\n # Vulnerable implementation of dynamic theming\n ui.add_css(f\u0027.q-btn {{ background-color: {color} !important; }}\u0027)\n ui.button(\u0027Click Me\u0027)\n\nui.run(port=8082)\n```\n**Attack Vector:**\nAccessing the following URL executes arbitrary JavaScript:\n`http://localhost:8082/?color=red;}\u003c/style\u003e\u003cimg src=x onerror=alert(document.domain)\u003e\u003cstyle\u003e`\n\n### Impact\n* **Type:** Reflected XSS\n* **Severity:** Moderate \n* **Affected Components:** Applications using `ui.add_css`, `ui.add_scss`, or `ui.add_sass` with untrusted input (e.g., dynamic theming based on user input).",
"id": "GHSA-72qc-wxch-74mg",
"modified": "2025-12-09T16:28:50Z",
"published": "2025-12-08T21:30:20Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-72qc-wxch-74mg"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66469"
},
{
"type": "WEB",
"url": "https://github.com/zauberzeug/nicegui/commit/a8fd25b7d5e23afb1952d0f60a1940e18b5f1ca8"
},
{
"type": "PACKAGE",
"url": "https://github.com/zauberzeug/nicegui"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…