CVE-2025-66470
BaseFortify
Publication date: 2025-12-09
Last updated on: 2025-12-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zauberzeug | nicegui | 3.3.1 |
| zauberzeug | nicegui | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a Cross-Site Scripting (XSS) issue in NiceGUI versions 3.3.1 and below. It occurs in the ui.interactive_image component, which renders SVG content using Vue's v-html directive without sanitizing it. Attackers can exploit this by injecting malicious HTML or JavaScript through the SVG <foreignObject> tag, which executes when the image component is rendered or updated.
How can this vulnerability impact me? :
The vulnerability can allow attackers to execute malicious scripts in the context of the affected application, potentially leading to unauthorized actions, data theft, or session hijacking. This is especially dangerous for dashboards or multi-user applications that display user-generated content or annotations, as it can compromise the integrity and security of the application and its users.
What immediate steps should I take to mitigate this vulnerability?
Upgrade NiceGUI to version 3.4.0 or later, as this version fixes the XSS vulnerability in the ui.interactive_image component by properly sanitizing SVG content. Avoid using or rendering untrusted user-generated SVG content in the ui.interactive_image component until the upgrade is applied.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect this vulnerability, you can inspect if your NiceGUI installation is version 3.3.1 or below, as these versions are affected. Additionally, you can search your application code or running environment for usage of the `ui.interactive_image` component rendering SVG content with unsanitized input. A practical approach is to look for the presence of the vulnerable code snippet `<g v-html="content"></g>` in `nicegui/elements/interactive_image.js`. For network detection, monitoring HTTP responses for SVG content containing `<foreignObject>` tags with suspicious embedded scripts could indicate exploitation attempts. There are no specific commands provided in the resources, but you can use commands like `grep -r 'ui.interactive_image' /path/to/your/project` to find usage, or `grep -r '<foreignObject>' /path/to/served/content` to detect potentially malicious SVG content. Also, scanning HTTP traffic for SVG payloads with embedded scripts using tools like Wireshark or proxy tools could help detect exploitation. [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to inject malicious scripts that execute in other users' browsers, potentially leading to unauthorized access or exposure of user data. This can impact compliance with standards like GDPR and HIPAA, which require protection of user data and prevention of unauthorized data access or disclosure. Specifically, the XSS vulnerability could lead to confidentiality and integrity issues of user data displayed in dashboards or multi-user applications, thereby posing risks to regulatory compliance. [1]