GHSA-7grm-h62g-5m97
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7grm-h62g-5m97
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-7grm-h62g-5m97/GHSA-7grm-h62g-5m97.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7grm-h62g-5m97
- Published
- 2026-01-08T20:00:29Z
- Modified
- 2026-01-08T20:13:45.467762Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- NiceGUI is vulnerable to XSS via Unescaped URL in ui.navigate.history.push() / replace()
- Details
-
Summary
XSS risk exists in NiceGUI when developers pass attacker-controlled strings into
ui.navigate.history.push()orui.navigate.history.replace(). These helpers are documented as History API wrappers for updating the browser URL without page reload. However, if the URL argument is embedded into generated JavaScript without proper escaping, a crafted payload can break out of the intended string context and execute arbitrary JavaScript in the victim’s browser.Applications that do not pass untrusted input into
ui.navigate.history.push/replaceare not affected.Details
NiceGUI provides
ui.navigate.history.push(url)andui.navigate.history.replace(url)to update the URL using the browser History API. If an application forwards user-controlled data (e.g., URL path segments, query parameters likenext=..., form values, etc.) into these methods, an attacker can inject characters such as quotes and statement terminators to escape the JavaScript string context and execute arbitrary code.A vulnerable pattern is: - attacker controls a value (e.g., via the request path), - the application passes it to
ui.navigate.history.push(payload)(orreplace).This is similar in spirit to other NiceGUI XSS advisories: -
ui.html(),ui.chat_message()can cause XSS when developers render untrusted input as HTML (XSS risk/footgun). -ui.interactive_imagehad XSS via unsanitized SVG content and was handled as a security advisory with a fix and severity rating.Because
ui.navigate.history.*is expected to accept a URL (data) rather than executable code, the library should escape/encode the argument before emitting JavaScript.PoC
Create a simple app
from nicegui import ui @ui.page('/') def index(): # A link/button a victim could click (attacker can also send the URL directly) ui.button('open crafted path', on_click=lambda: ui.navigate.to('/%22);alert(document.domain);//')) @ui.page('/{payload:path}') def victim(payload: str): ui.label(f'payload = {payload!r}') # Vulnerable use: forwarding attacker-controlled path to history.push ui.button('trigger', on_click=lambda: ui.navigate.history.push(payload)) ui.run()Run the app
python app.pyTrigger
- Open
http://localhost:8080/ - Click
open crafted path - Click
trigger
Expected result: JavaScript executes (an alert showing
document.domain).Impact
- Vulnerability type: DOM-based XSS
- Attack vector: attacker-controlled input embedded into JavaScript via
ui.navigate.history.push/replace - Affected users: any NiceGUI-based application that forwards untrusted input into
ui.navigate.history.push()orui.navigate.history.replace() - Potential outcomes: client-side code execution, phishing UI injection, and other typical XSS impacts
- Open
- Database specific
{ "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "nvd_published_at": "2026-01-08T10:15:55Z", "github_reviewed": true, "github_reviewed_at": "2026-01-08T20:00:29Z" }- References
Affected packages
PyPI / nicegui
Package
- Name
- nicegui
- View open source insights on deps.dev
- Purl
- pkg:pypi/nicegui