8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-32005

GHSA ID

GHSA-mwc7-64wg-pgvj

EPSS Score

0.1485%

CWE

CWE-22

Published

4/12/2024

Updated

4/15/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-32005

CVE-2024-32005:
NiceGUI allows potential access to local file system

NiceGUI is an easy-to-use, Python-based UI framework. A local file inclusion is present in the NiceUI leaflet component when requesting resource files under the /_nicegui/{__version__}/resources/{key}/{path:path} route.

As a result any file on the backend filesystem which the web server has access to can be read by an attacker with access to the NiceUI leaflet website.

This vulnerability has been addressed in version 1.4.21. Users are advised to upgrade. There are no known workarounds for this vulnerability.

(GitHub Advisory)

8.2

CVSS Score

3.1

Basic Information

CVE ID

CVE-2024-32005

GHSA ID

GHSA-mwc7-64wg-pgvj

EPSS Score

0.1485%

CWE

CWE-22

Published

4/12/2024

Updated

4/15/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nicegui	pip	>= 1.4.6, < 1.4.21	1.4.21

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the _get_resource function handling user-supplied 'path' parameters in resource requests. The GitHub patch adds a critical path resolution check (relative_to) to prevent directory traversal, confirming this was the vulnerable function. The CWE-22/CWE-23 alignment and commit diff directly implicate this function as the attack vector for local file inclusion.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Ni***UI is *n **sy-to-us*, Pyt*on-**s** UI *r*m*work. * lo**l *il* in*lusion is pr*s*nt in t** Ni**UI l***l*t *ompon*nt w**n r*qu*stin* r*sour** *il*s un**r t** `/_ni***ui/{__v*rsion__}/r*sour**s/{k*y}/{p*t*:p*t*}` rout*. *s * r*sult *ny *il* on t*

Reasoning

T** vuln*r**ility st*ms *rom t** _**t_r*sour** *un*tion **n*lin* us*r-suppli** 'p*t*' p*r*m*t*rs in r*sour** r*qu*sts. T** *it*u* p*t** ***s * *riti**l p*t* r*solution ****k (r*l*tiv*_to) to pr*v*nt *ir**tory tr*v*rs*l, *on*irmin* t*is w*s t** vuln*r

8.2

Basic Information

Concerned about an active attack path?

CVE-2024-32005: NiceGUI allows potential access to local file system

8.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2024-32005:
NiceGUI allows potential access to local file system

Vulnerability Intelligence
Miggo AI