CVE-2025-53354
BaseFortify
Publication date: 2025-10-03
Last updated on: 2025-10-06
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zauberzeug | nicegui | * |
| zauberzeug | nicegui | 3.0.0 |
| html-sanitizer | html-sanitizer | 2.6.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Scripting (XSS) issue in NiceGUI versions 2.24.2 and below. It occurs when developers render unescaped user input into the DOM using the ui.html() function. Because NiceGUI did not enforce HTML or JavaScript sanitization, attackers can inject and execute arbitrary JavaScript in the user's browser if untrusted input is passed directly into ui.html() or similar components without escaping.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary JavaScript code in the browsers of users interacting with the affected application. This can lead to theft of sensitive information, session hijacking, defacement, or other malicious actions performed on behalf of the user.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade NiceGUI to version 3.0.0 or later, where the issue is fixed. Additionally, ensure that your application does not pass untrusted user input directly into ui.html() without proper escaping or sanitization to prevent Cross-Site Scripting (XSS) attacks.