NiceGUI Path Traversal Vulnerability in File Upload Handling on Windows

A path traversal vulnerability has been identified in NiceGUI, a Python-based UI framework, in versions prior to 3.10.0. The issue arises in the file upload feature, where filename sanitization can be bypassed on Windows systems. The vulnerability allows for arbitrary file writing by exploiting the way file paths are constructed using backslashes, which are interpreted as directory separators on Windows. This issue does not affect Linux or macOS, as those operating systems treat backslashes as literal characters in filenames.

Impact

Exploitation of this vulnerability could lead to arbitrary file writes outside the intended upload directory on Windows. This not only risks overwriting existing files but could also allow for remote code execution by replacing application files or placing executable files in known locations.

Reproduction

To reproduce this vulnerability, upload a file using the NiceGUI file upload feature on a Windows system. Include backslashes in the filename to bypass the sanitization process. Once uploaded, the file will be written outside the designated upload directory, potentially overwriting important files or executing malicious code if an executable is placed in a recognized location.

Remediation

Users can upgrade to NiceGUI version 3.10.0 or later, where this vulnerability has been fixed.