{"data":{"id":"c86c90a5-947f-4997-af5a-a128284c3b4b","title":"GHSA-pq7c-x8g4-rvp6: NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routes","summary":"NiceGUI has a vulnerability in two routes (resource and ESM module routes) that serve files without authentication. If a request tries to access a directory instead of a file through these routes, it causes an unhandled error that writes a large traceback (around 100 lines) to the server log. An attacker can repeatedly trigger this to fill up disk space, overload logging systems, and create false alarms in monitoring without needing any special access.","solution":"The source mentions three workarounds for deployments unable to upgrade immediately: (1) Place NiceGUI behind a reverse proxy that rejects requests where the path after `/_nicegui/<version>/esm/<key>/` or `/_nicegui/<version>/resources/<key>/` is empty. (2) Rate-limit the `/_nicegui/` prefix at the proxy. (3) Configure log rotation aggressively for the affected service. For a permanent fix, upgrading NiceGUI is recommended, though no specific patched version is mentioned in the source.","labels":["security"],"sourceUrl":"https://github.com/advisories/GHSA-pq7c-x8g4-rvp6","publishedAt":"2026-05-18T20:22:07.000Z","cveId":"CVE-2026-45554","cweIds":null,"cvssScore":null,"cvssSeverity":"medium","severity":"medium","attackType":["denial_of_service"],"issueType":"vulnerability","affectedPackages":["nicegui@<= 3.11.1 (fixed: 3.12.0)"],"affectedVendors":[],"affectedVendorsRaw":["NiceGUI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":true,"disclosureDate":"2026-05-18T20:22:07.000Z","capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["availability"],"aiComponentTargeted":null,"llmSpecific":false,"classifierConfidence":0.75,"researchCategory":null,"atlasIds":null}}