GHSA-w5g8-5849-vj76

Source

https://github.com/advisories/GHSA-w5g8-5849-vj76

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-w5g8-5849-vj76/GHSA-w5g8-5849-vj76.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-w5g8-5849-vj76

Aliases

CVE-2026-33332

Published

2026-03-19T18:48:27Z

Modified

2026-03-27T22:04:50.847264Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator

Summary

NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion

Details

Summary

NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once.

With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service.

Impact

Affected applications: NiceGUI applications that serve media content via app.add_media_file() or app.add_media_files(), particularly those serving large files (video, audio).

What an attacker can do: - Force the server to load entire files into memory instead of streaming them in chunks - Amplify memory usage with concurrent requests to large media files - Cause performance degradation, memory pressure, and potential OOM conditions

Attack difficulty: Low - requires only a crafted query parameter.

Remediation

Upgrade to a patched version of NiceGUI.

As a workaround, restrict access to media endpoints or strip unexpected query parameters at a reverse proxy layer.

Database specific

{
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-19T18:48:27Z",
    "severity": "MODERATE",
    "nvd_published_at": "2026-03-24T20:16:28Z",
    "cwe_ids": [
        "CWE-20",
        "CWE-770"
    ]
}

References

Affected packages

PyPI / nicegui

Package

Name: nicegui; View open source insights on deps.dev
Purl: pkg:pypi/nicegui

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.9.0

Affected versions

0.*

0.1.0

0.1.4

0.1.6

0.2.0

0.2.1

0.2.2

0.2.3

0.2.4

0.2.9

0.2.10

0.2.11

0.2.12

0.2.13

0.2.14

0.2.15

0.3.0

0.3.1

0.3.2

0.3.3

0.3.4

0.3.5

0.3.6

0.3.7

0.3.8

0.3.9

0.4.0

0.4.1

0.4.2

0.4.3

0.4.4

0.4.5

0.4.6

0.4.7

0.4.8

0.4.9

0.4.10

0.4.11

0.4.12

0.4.13

0.4.14

0.4.15

0.5.0

0.5.1

0.5.2

0.5.3

0.5.4

0.5.5

0.5.6

0.5.7

0.5.8

0.5.9

0.5.10

0.5.11

0.5.12

0.6.0

0.6.1

0.6.2

0.6.3

0.6.4

0.6.5

0.6.6

0.6.7

0.6.8

0.6.9

0.6.10

0.6.11

0.6.12

0.6.13

0.7.0

0.7.1

0.7.2

0.7.3

0.7.4

0.7.6

0.7.7

0.7.8

0.7.9

0.7.10

0.7.11

0.7.12

0.7.13

0.7.14

0.7.15

0.7.16

0.7.17

0.7.18

0.7.19

0.7.21

0.7.22

0.7.23

0.7.24

0.7.25

0.7.26

0.7.27

0.7.28

0.7.29

0.7.30

0.8.0

0.8.1

0.8.2

0.8.3

0.8.4

0.8.5

0.8.6

0.8.7

0.8.8

0.8.9

0.8.10

0.8.11

0.8.12

0.8.13

0.8.14

0.8.15

0.8.16

0.9.0

0.9.1

0.9.2

0.9.3

0.9.4

0.9.5

0.9.6

0.9.7

0.9.8

0.9.9

0.9.10

0.9.11

0.9.12

0.9.13

0.9.14

0.9.15

0.9.16

0.9.17

0.9.18

0.9.19

0.9.20

0.9.21

0.9.22

0.9.23

0.9.24

0.9.25

0.9.26

0.9.27

0.9.28

1.*

1.0.1

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.0.10

1.1.0

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.1.7

1.1.8

1.1.9

1.1.10

1.1.11

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

1.2.10

1.2.11

1.2.12

1.2.13

1.2.14

1.2.15

1.2.16

1.2.17

1.2.18

1.2.20

1.2.21

1.2.22

1.2.23

1.2.24

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

1.3.10

1.3.11

1.3.12

1.3.13

1.3.14

1.3.15

1.3.16

1.3.17

1.3.18

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.4.8

1.4.9

1.4.10

1.4.11

1.4.12

1.4.13

1.4.14

1.4.15

1.4.16

1.4.17

1.4.18

1.4.19

1.4.20

1.4.21

1.4.22

1.4.23

1.4.24

1.4.25

1.4.26

1.4.27

1.4.28

1.4.29

1.4.30

1.4.31

1.4.33

1.4.34

1.4.35

1.4.36

1.4.37

2.*

2.0.0

2.0.1

2.1.0

2.2.0

2.3.0

2.4.0

2.5.0

2.7.0

2.8.0

2.8.1

2.9.0

2.9.1

2.10.0

2.10.1

2.11.0

2.11.1

2.12.0

2.12.1

2.13.0

2.14.0

2.14.1

2.15.0

2.16.0

2.16.1

2.17.0

2.18.0

2.19.0

2.20.0

2.21.0

2.21.1

2.22.0

2.22.1

2.22.2

2.23.0

2.23.1

2.23.2

2.23.3

2.24.0

2.24.1

2.24.2

3.*

3.0.0rc1

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.1.0

3.2.0

3.3.0

3.3.1

3.4.0

3.4.1

3.5.0

3.6.0

3.6.1

3.7.0

3.7.1

3.8.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-w5g8-5849-vj76/GHSA-w5g8-5849-vj76.json"

last_known_affected_version_range

"<= 3.8.0"