Cyber Resilience

CVE-2025-66645

HighPublic PoC

Published: 09 December 2025

Published
09 December 2025
Modified
19 December 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0076 73.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-66645 is a high-severity Path Traversal (CWE-22) vulnerability in Zauberzeug Nicegui. Its CVSS base score is 7.5 (High).

Operationally, ranked in the top 26.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

NiceGUI is a Python-based UI framework that is affected by a directory traversal vulnerability in versions 3.3.1 and below. The flaw resides in the App.add_media_files() function and is tracked as CWE-22, enabling unauthorized access to files outside intended directories. It carries a CVSS 3.1 score of 7.5 reflecting network attack vector, low complexity, and high confidentiality impact without any required authentication or user interaction. The issue was resolved in version 3.4.0.

A remote attacker can exploit the vulnerability over the network to read arbitrary files from the server filesystem, potentially exposing configuration data, source code, or other sensitive information stored on the host.

The official GitHub security advisory GHSA-hxp3-63hc-5366 and the associated commit a1b89e2a24e1911a40389ace2153a37f4eea92a9 confirm the patch in 3.4.0 and recommend upgrading as the primary mitigation. The EPSS score remains low with only a minor peak of 0.0111, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to directory traversal through the App.add_media_files() function, which allows a remote attacker to read arbitrary files on the server filesystem. This issue is fixed in version 3.4.0.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

zauberzeug
nicegui
≤ 3.4.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References