AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-w5g8-5849-vj76: NiceGUI's unvalidated chunk size parameter in media routes can cause memory exhaustion

mediumvulnerability

security

Source: GitHub Advisory DatabaseMarch 19, 2026CVE-2026-33332

Summary

NiceGUI's media file serving functions accept a user-controlled parameter that controls how files are read during streaming without checking if the parameter is valid. An attacker can use this to force the server to load entire files into memory at once instead of sending them in chunks (smaller pieces), which can cause the server to run out of memory and stop working, especially with large files like videos.

Solution / Mitigation

Upgrade to a patched version of NiceGUI. As a workaround, restrict access to media endpoints or strip unexpected query parameters at a reverse proxy layer (a server that sits between users and your application to filter requests).

Vulnerability Details

EPSS (30-day exploit probability)

EPSS: 0.0%

Patch Available

Yes

Disclosure Date

March 19, 2026

Classification

Attack SophisticationTrivial

Impact (CIA+S)

availability

Affected Vendors

Affected Packages

nicegui@<= 3.8.0 (fixed: 3.9.0)

Original source: https://github.com/advisories/GHSA-w5g8-5849-vj76

First tracked: March 19, 2026 at 03:00 PM

Classified by LLM (prompt v3) · confidence: 95%