Primary

Context

NiceGUI Authentication Vulnerability Allowing Session Hijacking Across Browsers

Vulnerability

A vulnerability in NiceGUI versions prior to 2.9.1 allows for session hijacking across different browsers, including incognito mode. When a user logs in on one browser, the session is shared with all other browsers without requiring a password. This issue has been addressed in NiceGUI version 2.9.1.

Impact

Exploitation of this vulnerability allows for unauthorized access to user sessions across different browsers, potentially leading to unauthorized actions being performed on behalf of the user.

Reproduction

To reproduce this vulnerability, log into NiceGUI using a standard browser. After logging in, open a new browser or an incognito window. The session will be active without requiring a password, indicating that the authentication has been shared across browsers.

Remediation

Users can upgrade to NiceGUI version 2.9.1 or later to address this vulnerability.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.4

remediation

7.7

relevance

0.0

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

8.4

remediation

7.7

relevance

0.0

threat

4.8

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

NiceGUI Authentication Vulnerability Allowing Session Hijacking Across Browsers

Vulnerability

Impact

Reproduction

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating