CVE-2025-53354
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-03

Last updated on: 2025-10-06

Assigner: GitHub, Inc.

Description
NiceGUI is a Python-based UI framework. Versions 2.24.2 and below are at risk for Cross-Site Scripting (XSS) when developers render unescaped user input into the DOM using ui.html(). NiceGUI did not enforce HTML or JavaScript sanitization, so applications that directly combine components like ui.input() with ui.html() or ui.chat_message with HTML content without escaping may allow attackers to execute arbitrary JavaScript in the user’s browser. Applications that do not pass untrusted input into ui.html() are not affected. This issue is fixed in version 3.0.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-03
Last Modified
2025-10-06
Generated
2026-06-16
AI Q&A
2025-10-03
EPSS Evaluated
2026-06-15
NVD
CVE-2025-53354
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
zauberzeug nicegui *
zauberzeug nicegui 3.0.0
html-sanitizer html-sanitizer 2.6.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Cross-Site Scripting (XSS) issue in NiceGUI versions 2.24.2 and below. It occurs when developers render unescaped user input into the DOM using the ui.html() function. Because NiceGUI did not enforce HTML or JavaScript sanitization, attackers can inject and execute arbitrary JavaScript in the user's browser if untrusted input is passed directly into ui.html() or similar components without escaping.

Impact Analysis

This vulnerability can allow attackers to execute arbitrary JavaScript code in the browsers of users interacting with the affected application. This can lead to theft of sensitive information, session hijacking, defacement, or other malicious actions performed on behalf of the user.

Mitigation Strategies

To mitigate this vulnerability, upgrade NiceGUI to version 3.0.0 or later, where the issue is fixed. Additionally, ensure that your application does not pass untrusted user input directly into ui.html() without proper escaping or sanitization to prevent Cross-Site Scripting (XSS) attacks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-53354. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart