6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-66469

CVE-2025-66469: NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection

Summary

A Cross-Site Scripting (XSS) vulnerability exists in ui.add_css, ui.add_scss, and ui.add_sass functions in NiceGUI (v3.3.1 and earlier).

These functions allow developers to inject styles dynamically. However, they lack proper sanitization or encoding for the JavaScript context they generate. An attacker can break out of the intended <style> or <script> tags by injecting closing tags (e.g., </style> or </script>), allowing for the execution of arbitrary JavaScript.

Details

The vulnerability stems from how these functions inject content into the DOM using client.run_javascript (or add_head_html internally) without sufficient escaping for the transport layer.

ui.add_css: Injects content into a <style> tag. Input containing </style> closes the tag prematurely, allowing subsequent HTML/JS injection.
ui.add_scss / ui.add_sass: These rely on client-side compilation within <script> tags. Input containing </script> breaks the execution context, allowing XSS.

PoC

Scenario: A developer allows users to customize a theme color via a URL parameter.

from nicegui import ui

@ui.page('/')
def main(color: str = 'blue'):
    # Vulnerable implementation of dynamic theming
    ui.add_css(f'.q-btn {{ background-color: {color} !important; }}')
    ui.button('Click Me')

ui.run(port=8082)

Attack Vector: Accessing the following URL executes arbitrary JavaScript: http://localhost:8082/?color=red;}</style><img src=x onerror=alert(document.domain)><style>

Impact

Type: Reflected XSS
Severity: Moderate
Affected Components: Applications using ui.add_css, ui.add_scss, or ui.add_sass with untrusted input (e.g., dynamic theming based on user input).

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-66469

CVE-2025-66469:

6.1

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nicegui	pip	<= 3.3.1	3.4.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the nicegui library's functions for adding dynamic styles: add_css, add_scss, and add_sass. The core issue is the lack of proper sanitization for user-controlled input before it is embedded into the HTML page.

add_css: The original code wrapped the input content directly within <style> tags. This allowed an attacker to craft an input string that closes the <style> tag and then injects a <script> tag, resulting in XSS. The patch mitigates this by no longer embedding the content directly. Instead, it passes the content to a new JavaScript helper function, addStyle, which programmatically creates a style element and sets its textContent. This ensures the browser treats the content as plain text, not as HTML to be parsed.
add_scss / add_sass: These functions compile SASS on the client side within a <script> tag. The vulnerability was similar: an input containing </script> could prematurely terminate the script block, allowing for arbitrary code injection. The fix involves sanitizing the input by escaping the < character (.replace('<', r'\\u003c')) before embedding it into the JavaScript string that gets compiled, preventing the browser from interpreting any injected tags.

Vulnerable functions

add_css

nicegui/functions/style.py

The function directly embedded user-provided `content` into a `<style>` tag without proper sanitization. An attacker could provide a malicious string containing `</style>` to close the tag and inject arbitrary HTML and JavaScript, leading to a reflected Cross-Site Scripting (XSS) vulnerability.

add_scss

nicegui/functions/style.py

The function embedded user-provided `content` into a `<script>` tag for client-side SASS compilation. It failed to sanitize input that contained a closing `</script>` tag, allowing an attacker to break out of the script context and inject arbitrary code. This vulnerability also affects the `add_sass` function, which relies on `add_scss`.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-66469: NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection

Summary

Details

PoC

Impact

CVE-2025-66469:

6.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

6.1

6.1

Basic Information

Basic Information

CVE-2025-66469: NiceGUI Reflected XSS in ui.add_css, ui.add_scss, and ui.add_sass via Style Injection

Summary

Details

PoC

Impact

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI