NiceGUI Memory Exhaustion Vulnerability in Media Streaming Routes

A memory exhaustion vulnerability has been identified in NiceGUI versions prior to 3.9.0. The issue arises in the 'app.add_media_file()' and 'app.add_media_files()' media routes, where a user-controlled query parameter is accepted without proper validation. This parameter influences how files are read during streaming, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. When large media files are involved, especially with concurrent requests, this can lead to excessive memory consumption, degraded performance, or a denial-of-service condition.

Impact

Exploitation of this vulnerability can cause excessive memory usage, performance degradation, and potential out-of-memory conditions on the server.

Reproduction

The vulnerability can be reproduced by sending a request to a NiceGUI application that serves media files through the 'app.add_media_file()' or 'app.add_media_files()' routes. Include a crafted 'nicegui_chunk_size' query parameter to manipulate the chunk size. Values such as -1, 0, or -9999 can be used to test the vulnerability. The server will respond by loading the entire file into memory, bypassing the intended chunked streaming.

Remediation

Users are advised to upgrade to NiceGUI version 3.9.0 or later, where this vulnerability has been patched. As an additional measure, access to media endpoints can be restricted or unexpected query parameters stripped at the reverse proxy layer.