CVE-2025-66645
Published: 09 December 2025
Summary
CVE-2025-66645 is a high-severity Path Traversal (CWE-22) vulnerability in Zauberzeug Nicegui. Its CVSS base score is 7.5 (High).
Operationally, ranked in the top 26.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
NiceGUI is a Python-based UI framework that is affected by a directory traversal vulnerability in versions 3.3.1 and below. The flaw resides in the App.add_media_files() function and is tracked as CWE-22, enabling unauthorized access to files outside intended directories. It carries a CVSS 3.1 score of 7.5 reflecting network attack vector, low complexity, and high confidentiality impact without any required authentication or user interaction. The issue was resolved in version 3.4.0.
A remote attacker can exploit the vulnerability over the network to read arbitrary files from the server filesystem, potentially exposing configuration data, source code, or other sensitive information stored on the host.
The official GitHub security advisory GHSA-hxp3-63hc-5366 and the associated commit a1b89e2a24e1911a40389ace2153a37f4eea92a9 confirm the patch in 3.4.0 and recommend upgrading as the primary mitigation. The EPSS score remains low with only a minor peak of 0.0111, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-201931
Vulnerability details
NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to directory traversal through the App.add_media_files() function, which allows a remote attacker to read arbitrary files on the server filesystem. This issue is fixed in version 3.4.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.