Cyber Resilience

CVE-2025-21618

High

Published: 06 January 2025

Published
06 January 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
EPSS Score 0.0017 38.5th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-21618 is a high-severity Improper Authentication (CWE-287) vulnerability. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-2 (Identification and Authentication (Organizational Users)) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2025-21618 affects NiceGUI, an easy-to-use Python-based UI framework, in versions prior to 2.9.1. The vulnerability stems from an improper authentication mechanism (CWE-287) where user authentication results in logging in the user across all browsers, including those in incognito mode. This flaw has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high severity due to its network accessibility and integrity impact.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows attackers to achieve high integrity impact, enabling unauthorized actions such as impersonation or manipulation of authenticated sessions across multiple browser instances, including isolated incognito sessions.

The issue is addressed in NiceGUI version 2.9.1. For details, refer to the security advisory at https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v6jv-p6r8-j78w and the fixing commit at https://github.com/zauberzeug/nicegui/commit/1621a4ba6a06676b8094362d36623551e651adc1.

EU & UK References

Vulnerability details

NiceGUI is an easy-to-use, Python-based UI framework. Prior to 2.9.1, authenticating with NiceGUI logged in the user for all browsers, including browsers in incognito mode. This vulnerability is fixed in 2.9.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The CVE describes a remotely exploitable improper authentication flaw (CWE-287) in a public-facing Python web UI framework, directly enabling unauthorized session manipulation and impersonation without credentials or interaction.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-71279Shared CWE-287
CVE-2024-13804Shared CWE-287
CVE-2024-57046Shared CWE-287
CVE-2026-1203Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2025-43995Shared CWE-287
CVE-2026-7876Shared CWE-287
CVE-2025-0637Shared CWE-287
CVE-2025-61882Shared CWE-287
CVE-2026-0589Shared CWE-287

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely remediation of the specific software flaw in NiceGUI's authentication mechanism that enables cross-browser session sharing.

prevent

Ensures unique session identifiers bound to specific browser sessions, preventing unauthorized propagation of authentication state across incognito and other browser instances.

prevent

Mandates robust identification and authentication mechanisms for organizational users, directly countering the improper authentication (CWE-287) that logs in users across all browsers.

References