GHSA-72qc-wxch-74mg

Source

https://github.com/advisories/GHSA-72qc-wxch-74mg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-72qc-wxch-74mg/GHSA-72qc-wxch-74mg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-72qc-wxch-74mg

Aliases

CVE-2025-66469

Published

2025-12-08T21:30:20Z

Modified

2025-12-08T21:42:59.366493Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection

Details

Summary

A Cross-Site Scripting (XSS) vulnerability exists in ui.add_css, ui.add_scss, and ui.add_sass functions in NiceGUI (v3.3.1 and earlier).

These functions allow developers to inject styles dynamically. However, they lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended <style> or <script> tags by injecting closing tags (e.g., </style> or </script>), allowing for the execution of arbitrary JavaScript.

Details

The vulnerability stems from how these functions inject content into the DOM using client.run_javascript (or add_head_html internally) without sufficient escaping for the transport layer.

ui.add_css: Injects content into a <style> tag. Input containing </style> closes the tag prematurely, allowing subsequent HTML/JS injection.
ui.add_scss / ui.add_sass: These rely on client-side compilation within <script> tags. Input containing </script> breaks the execution context, allowing XSS.

PoC

Scenario: A developer allows users to customize a theme color via a URL parameter.

from nicegui import ui

@ui.page('/')
def main(color: str = 'blue'):
    # Vulnerable implementation of dynamic theming
    ui.add_css(f'.q-btn {{ background-color: {color} !important; }}')
    ui.button('Click Me')

ui.run(port=8082)

Attack Vector: Accessing the following URL executes arbitrary JavaScript: http://localhost:8082/?color=red;}</style><img src=x onerror=alert(document.domain)><style>

Impact

Type: Reflected XSS
Severity: Moderate
Affected Components: Applications using ui.add_css, ui.add_scss, or ui.add_sass with untrusted input (e.g., dynamic theming based on user input).

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-08T21:30:20Z",
    "nvd_published_at": null,
    "severity": "MODERATE",
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

PyPI / nicegui

Package

Name: nicegui; View open source insights on deps.dev
Purl: pkg:pypi/nicegui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.4.0

Affected versions

0.*

0.1.0

0.1.4

0.1.6

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.2.9

0.2.10

0.2.11

0.2.12

0.2.13

0.2.14

0.2.15

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.4.5

0.4.6

0.4.7

0.4.8

0.4.9

0.4.10

0.4.11

0.4.12

0.4.13

0.4.14

0.4.15

0.5.0

0.5.1

0.5.2

0.5.3

0.5.4

0.5.5

0.5.6

0.5.7

0.5.8

0.5.9

0.5.10

0.5.11

0.5.12

0.6.0

0.6.1

0.6.2

0.6.3

0.6.4

0.6.5

0.6.6

0.6.7

0.6.8

0.6.9

0.6.10

0.6.11

0.6.12

0.6.13

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

0.7.6

0.7.7

0.7.8

0.7.9

0.7.10

0.7.11

0.7.12

0.7.13

0.7.14

0.7.15

0.7.16

0.7.17

0.7.18

0.7.19

0.7.21

0.7.22

0.7.23

0.7.24

0.7.25

0.7.26

0.7.27

0.7.28

0.7.29

0.7.30

0.8.0

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.8.7

0.8.8

0.8.9

0.8.10

0.8.11

0.8.12

0.8.13

0.8.14

0.8.15

0.8.16

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9

0.9.10

0.9.11

0.9.12

0.9.13

0.9.14

0.9.15

0.9.16

0.9.17

0.9.18

0.9.19

0.9.20

0.9.21

0.9.22

0.9.23

0.9.24

0.9.25

0.9.26

0.9.27

0.9.28

1.*

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.1.9

1.1.10

1.1.11

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

1.2.10

1.2.11

1.2.12

1.2.13

1.2.14

1.2.15

1.2.16

1.2.17

1.2.18

1.2.20

1.2.21

1.2.22

1.2.23

1.2.24

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

1.3.10

1.3.11

1.3.12

1.3.13

1.3.14

1.3.15

1.3.16

1.3.17

1.3.18

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

1.4.9

1.4.10

1.4.11

1.4.12

1.4.13

1.4.14

1.4.15

1.4.16

1.4.17

1.4.18

1.4.19

1.4.20

1.4.21

1.4.22

1.4.23

1.4.24

1.4.25

1.4.26

1.4.27

1.4.28

1.4.29

1.4.30

1.4.31

1.4.33

1.4.34

1.4.35

1.4.36

1.4.37

2.*

2.0.0

2.0.1

2.1.0

2.2.0

2.3.0

2.4.0

2.5.0

2.7.0

2.8.0

2.8.1

2.9.0

2.9.1

2.10.0

2.10.1

2.11.0

2.11.1

2.12.0

2.12.1

2.13.0

2.14.0

2.14.1

2.15.0

2.16.0

2.16.1

2.17.0

2.18.0

2.19.0

2.20.0

2.21.0

2.21.1

2.22.0

2.22.1

2.22.2

2.23.0

2.23.1

2.23.2

2.23.3

2.24.0

2.24.1

2.24.2

3.*

3.0.0rc1

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.1.0

3.2.0

3.3.0

3.3.1

Database specific

last_known_affected_version_range

"<= 3.3.1"