NiceGUI Redis Connection Leak Vulnerability Allowing Denial-of-Service

A vulnerability in NiceGUI versions 2.10.0 through 3.4.1 allows unauthenticated attackers to exhaust Redis connections. This is achieved by repeatedly opening and closing browser tabs in NiceGUI applications that use Redis for storage. The issue arises because connections are not properly released, causing service degradation once Redis reaches its connection limit. Although NiceGUI continues to accept new connections, this leads to errors being logged while disrupting the application's storage functionality. The vulnerability has been patched in NiceGUI version 3.5.0.

Impact

Exploitation of this vulnerability causes a denial-of-service condition by exhausting Redis connections, leading to service degradation when Redis hits its connection limit. This disrupts any functionality dependent on Redis, causing errors and loss of persistent storage for users.

Reproduction

To reproduce this vulnerability, first set a limit on Redis connections by configuring 'maxclients' to a low value, such as 50. Then, start a NiceGUI server with a Redis URL pointing to a local Redis instance. After the server is running, execute an attack script that opens and closes multiple browser tabs, targeting the NiceGUI application. Monitor the server logs to observe the connection errors as Redis refuses new connections after reaching its limit.

Remediation

Users can upgrade to NiceGUI version 3.5.0, where this vulnerability has been patched.