CVE-2025-66470 Overview
CVE-2025-66470 is a Cross-Site Scripting (XSS) vulnerability in NiceGUI, a Python-based UI framework maintained by Zauberzeug. The flaw affects the ui.interactive_image component in versions 3.3.1 and earlier. The component renders Scalable Vector Graphics (SVG) content using Vue's v-html directive without sanitization. Attackers can inject arbitrary HTML or JavaScript through the SVG <foreignObject> tag when the image component is rendered or updated. The issue is fixed in version 3.4.0.
Critical Impact
Attackers can execute arbitrary JavaScript in the browser context of any user viewing a dashboard or multi-user application that renders user-controlled SVG content through ui.interactive_image.
Affected Products
- Zauberzeug NiceGUI versions 3.3.1 and below
- Applications using the ui.interactive_image component with untrusted SVG input
- Multi-user dashboards or annotation tools built on NiceGUI
Discovery Timeline
- 2025-12-09 - CVE-2025-66470 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-66470
Vulnerability Analysis
The vulnerability is a stored or reflected XSS issue [CWE-79] in the NiceGUI ui.interactive_image component. NiceGUI wraps Vue.js on the frontend, and the interactive_image component passes its content property directly into Vue's v-html directive. The v-html directive interpolates raw HTML without escaping. As a result, any HTML or script content supplied via the component's content attribute is inserted into the Document Object Model (DOM) without filtering.
Root Cause
The component was designed to render SVG overlays on top of images, such as masks, annotations, or interactive shapes. To support arbitrary SVG structures, the developers relied on v-html to inject the SVG markup. SVG documents can legally contain a <foreignObject> element, which embeds arbitrary HTML inside the SVG namespace. Because no sanitization is applied before rendering, an attacker who controls or influences the content value can smuggle <script> tags or event-handler attributes into the page through a <foreignObject> payload.
Attack Vector
Exploitation requires user interaction, such as visiting a page or loading a dashboard that renders attacker-supplied SVG content. In multi-tenant deployments, one authenticated user can annotate or upload content that fires JavaScript in another user's session, enabling session token theft, forced actions on behalf of the victim, or defacement. The fix in version 3.4.0 introduces a sanitize parameter on ui.interactive_image; the default enables sanitization, and developers must opt out explicitly.
# Patch excerpt: examples/image_mask_overlay/main.py
ui.label('+').style('font-size: 18em')
ui.image(mask_src).style('width: 25%')
ui.label('=').style('font-size: 18em')
- image = ui.interactive_image(img_src).style('width: 25%')
+ image = ui.interactive_image(img_src, sanitize=False).style('width: 25%')
image.content = f'''
<image xlink:href="{mask_src}" width="100%" height="100%" x="0" y="0" filter="url(#mask)" />
<filter id="mask">
# Source: https://github.com/zauberzeug/nicegui/commit/58ad0b36e19922de16bbc79ea3ddd29851b1a3e3
The patch adds an explicit sanitize parameter. Trusted internal examples pass sanitize=False to preserve legitimate SVG rendering, while unspecified consumers receive sanitization by default.
Detection Methods for CVE-2025-66470
Indicators of Compromise
- Requests or WebSocket messages carrying SVG payloads containing <foreignObject>, <script>, or on* event-handler attributes bound for NiceGUI endpoints.
- Unexpected outbound connections from browser sessions viewing NiceGUI dashboards, indicating exfiltration by injected JavaScript.
- Application logs recording writes to interactive_image.content originating from unauthenticated or low-privilege users.
Detection Strategies
- Inspect the running version of the nicegui Python package via pip show nicegui and flag any host below version 3.4.0.
- Add server-side logging on any code path assigning user-controlled data to the content attribute of ui.interactive_image.
- Use a Content Security Policy (CSP) report endpoint to capture inline-script violations generated by exploitation attempts.
Monitoring Recommendations
- Review browser and reverse-proxy logs for SVG payloads that include <foreignObject> inside NiceGUI application traffic.
- Monitor authentication logs for session anomalies following dashboard views, which may indicate cookie or token theft via XSS.
- Track deployment inventories for Python applications importing nicegui and correlate installed versions against the fixed release.
How to Mitigate CVE-2025-66470
Immediate Actions Required
- Upgrade NiceGUI to version 3.4.0 or later, where sanitization is the default behavior for ui.interactive_image.
- Audit application code for calls to ui.interactive_image that assign attacker-influenced values to the content attribute.
- Revoke and rotate session tokens for users of multi-tenant NiceGUI dashboards that processed untrusted content prior to patching.
Patch Information
The fix is delivered in NiceGUI 3.4.0. The upstream commit 58ad0b36e19922de16bbc79ea3ddd29851b1a3e3 introduces a sanitize parameter on ui.interactive_image, enabling HTML sanitization by default. Full details are available in the GitHub Security Advisory GHSA-2m4f-cg75-76w2 and the upstream patch commit.
Workarounds
- Server-side sanitize any SVG content before assignment to interactive_image.content, stripping <script>, <foreignObject>, and on* handlers.
- Restrict who can submit or modify image annotations to authenticated, trusted roles until the upgrade is complete.
- Deploy a strict Content Security Policy that disallows inline scripts and untrusted script sources on pages rendering ui.interactive_image.
# Upgrade NiceGUI to the patched release
pip install --upgrade 'nicegui>=3.4.0'
# Verify the installed version
python -c "import nicegui, sys; print(nicegui.__version__); sys.exit(0 if nicegui.__version__ >= '3.4.0' else 1)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

