CVE-2026-33332
Received Received - Intake
Improper Input Validation in NiceGUI Media Streaming Causes DoS

Publication date: 2026-03-24

Last updated on: 2026-03-26

Assigner: GitHub, Inc.

Description
NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-26
Generated
2026-05-07
AI Q&A
2026-03-24
EPSS Evaluated
2026-05-05
NVD
CVE-2026-33332
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
zauberzeug nicegui to 3.9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in NiceGUI, a Python-based UI framework, in versions prior to 3.9.0. The issue is with the app.add_media_file() and app.add_media_files() media routes, which accept a user-controlled query parameter that affects how files are read during streaming.

Because this parameter is passed to the range-response implementation without validation, an attacker can bypass chunked streaming and force the server to load entire files into memory at once.

This can cause excessive memory consumption, degraded performance, or denial of service, especially when large media files and concurrent requests are involved.

The vulnerability was fixed in version 3.9.0 of NiceGUI.


How can this vulnerability impact me? :

This vulnerability can impact you by causing excessive memory consumption on the server when large media files are requested concurrently.

This excessive memory use can degrade the performance of your application or even cause a denial of service, making the application unavailable to legitimate users.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The vulnerability has been patched in NiceGUI version 3.9.0. The immediate step to mitigate this vulnerability is to upgrade NiceGUI to version 3.9.0 or later.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart