CVE-2026-33332
NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
7th
NiceGUI is a Python-based UI framework. Prior to version 3.9.0, NiceGUI's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. The parameter is passed to the range-response implementation without validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. With large media files and concurrent requests, this can lead to excessive memory consumption, degraded performance, or denial of service. This issue has been patched in version 3.9.0.
| CWE | CWE-20 CWE-770 |
| Vendor | zauberzeug |
| Product | nicegui |
| Published | Mar 24, 2026 |
| Last Updated | Mar 25, 2026 |
Stay Ahead of the Next One
Get instant alerts for zauberzeug nicegui
Be the first to know when new unknown vulnerabilities affecting zauberzeug nicegui are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
zauberzeug / nicegui
< 3.9.0