GHSA-pq7c-x8g4-rvp6: NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routes
Summary
NiceGUI has a vulnerability in two routes (resource and ESM module routes) that serve files without authentication. If a request tries to access a directory instead of a file through these routes, it causes an unhandled error that writes a large traceback (around 100 lines) to the server log. An attacker can repeatedly trigger this to fill up disk space, overload logging systems, and create false alarms in monitoring without needing any special access.
Solution / Mitigation
The source mentions three workarounds for deployments unable to upgrade immediately: (1) Place NiceGUI behind a reverse proxy that rejects requests where the path after `/_nicegui/<version>/esm/<key>/` or `/_nicegui/<version>/resources/<key>/` is empty. (2) Rate-limit the `/_nicegui/` prefix at the proxy. (3) Configure log rotation aggressively for the affected service. For a permanent fix, upgrading NiceGUI is recommended, though no specific patched version is mentioned in the source.
Vulnerability Details
EPSS: 0.0%
Yes
May 18, 2026
Classification
Affected Vendors
Affected Packages
Related Issues
CVE-2022-29200: TensorFlow is an open source platform for machine learning. Prior to versions 2.9.0, 2.8.1, 2.7.2, and 2.6.4, the implem
CVE-2021-29541: TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a dereference of a null p
Original source: https://github.com/advisories/GHSA-pq7c-x8g4-rvp6
First tracked: May 18, 2026 at 08:00 PM
Classified by LLM (prompt v3) · confidence: 75%