NiceGUI Directory Traversal Vulnerability in App.add_media_files() Allows Arbitrary File Read

A directory traversal vulnerability has been identified in NiceGUI, a Python-based UI framework, affecting versions through 3.3.1. The issue arises in the App.add_media_files() function, which lacks proper path validation, allowing remote attackers to read arbitrary files from the server's filesystem. This vulnerability can be exploited by accessing the application through a URL path that the attacker can reach, potentially exposing sensitive files such as application source code, configuration files, and operating system files like /etc/hosts.

Impact

Exploitation of this vulnerability allows for unauthorized reading of files outside the designated media directory, with the potential to access sensitive application and operating system files.

Reproduction

To reproduce this vulnerability, upload a file to the server that contains sensitive information, such as a configuration file or a file from the root directory. Then, use the NiceGUI App.add_media_files() function to expose the directory containing the sensitive file. Finally, send a request to the exposed URL path, using directory traversal sequences to access the sensitive file.

Remediation

Users can upgrade to NiceGUI version 3.4.0 or later, where this vulnerability has been fixed.