CVE-2025-21618
Published: 06 January 2025
Summary
CVE-2025-21618 is a high-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and SC-23 (Session Authenticity).
Deeper analysis
CVE-2025-21618 affects NiceGUI, an easy-to-use Python-based UI framework, in versions prior to 2.9.1. The vulnerability stems from an improper authentication mechanism (CWE-287) where user authentication results in logging in the user across all browsers, including those in incognito mode. This flaw has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high severity due to its network accessibility and integrity impact.
Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows attackers to achieve high integrity impact, enabling unauthorized actions such as impersonation or manipulation of authenticated sessions across multiple browser instances, including isolated incognito sessions.
The issue is addressed in NiceGUI version 2.9.1. For details, refer to the security advisory at https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v6jv-p6r8-j78w and the fixing commit at https://github.com/zauberzeug/nicegui/commit/1621a4ba6a06676b8094362d36623551e651adc1.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-0044
Vulnerability details
NiceGUI is an easy-to-use, Python-based UI framework. Prior to 2.9.1, authenticating with NiceGUI logged in the user for all browsers, including browsers in incognito mode. This vulnerability is fixed in 2.9.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remotely exploitable improper authentication flaw (CWE-287) in a public-facing Python web UI framework, directly enabling unauthorized session manipulation and impersonation without credentials or interaction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely remediation of the specific software flaw in NiceGUI's authentication mechanism that enables cross-browser session sharing.
Ensures unique session identifiers bound to specific browser sessions, preventing unauthorized propagation of authentication state across incognito and other browser instances.
Mandates robust identification and authentication mechanisms for organizational users, directly countering the improper authentication (CWE-287) that logs in users across all browsers.