NiceGUI Unauthenticated Log-Volume Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in NiceGUI, a Python-based UI framework, prior to version 3.12.0. The issue arises in two FastAPI routes that serve per-component static assets. These routes accept a sub-path parameter that can be manipulated to resolve to a directory instead of a file. When a request targets a directory, it triggers an unhandled RuntimeError in Starlette's FileResponse. This error is logged by Uvicorn as a full traceback, amplifying log volume and consuming disk space. The vulnerability is accessible without authentication, allowing remote attackers to disrupt any publicly reachable NiceGUI server by overloading its log capacity and exhausting disk space.

Impact

Exploitation of this vulnerability leads to a log-volume denial-of-service condition, where increased log entries from the error traceback can cause alert fatigue or mask other important events in monitoring. Additionally, the amplified log volume can saturate downstream log-shipping pipelines, and on hosts with default log retention, it can exhaust available disk space.

Remediation

Users can upgrade to NiceGUI version 3.12.0 or later, where this vulnerability has been patched. For those unable to upgrade immediately, it is recommended to place NiceGUI behind a reverse proxy that rejects requests targeting directories in the vulnerable FastAPI routes, or to rate-limit the NiceGUI prefix at the proxy.