CVE-2026-33332 Overview
CVE-2026-33332 is a denial of service vulnerability affecting NiceGUI, a Python-based UI framework. Prior to version 3.9.0, the framework's app.add_media_file() and app.add_media_files() media routes accept a user-controlled query parameter that influences how files are read during streaming. This parameter is passed to the range-response implementation without proper validation, allowing an attacker to bypass chunked streaming and force the server to load entire files into memory at once. When exploited with large media files and concurrent requests, this vulnerability can lead to excessive memory consumption, degraded performance, or complete denial of service.
Critical Impact
Attackers can exhaust server memory by forcing large media files to be loaded entirely into memory, bypassing intended chunked streaming protections. This can cause service degradation or complete denial of service for applications built on NiceGUI.
Affected Products
- Zauberzeug NiceGUI versions prior to 3.9.0
Discovery Timeline
- 2026-03-24 - CVE-2026-33332 published to NVD
- 2026-03-26 - Last updated in NVD database
Technical Details for CVE-2026-33332
Vulnerability Analysis
This vulnerability stems from improper input validation (CWE-20) in NiceGUI's media streaming functionality. The app.add_media_file() and app.add_media_files() methods are designed to serve media content through chunked streaming, which efficiently handles large files by reading and transmitting them in smaller segments. However, a user-controlled query parameter that influences file reading behavior is passed directly to the range-response implementation without any validation.
An attacker can manipulate this parameter to bypass the chunked streaming mechanism entirely, forcing the server to read and load complete files into memory before responding. When targeting large media files or sending multiple concurrent requests, this behavior can rapidly exhaust available server memory, leading to resource exhaustion conditions.
Root Cause
The root cause is insufficient input validation on a query parameter that controls file streaming behavior. The vulnerable code path accepts user input that determines how media files are read during HTTP range responses but fails to validate or sanitize this input before processing. This allows attackers to specify values that circumvent the intended chunked streaming implementation, directly impacting memory allocation patterns on the server.
Attack Vector
This vulnerability is exploitable over the network without authentication. An attacker can craft malicious HTTP requests to media file endpoints exposed by NiceGUI applications. By manipulating the vulnerable query parameter, the attacker can force the server to load entire media files into memory rather than streaming them in chunks.
The attack becomes particularly effective when:
- The application serves large media files (video, audio, or large images)
- Multiple concurrent requests are sent to maximize memory consumption
- The server has limited available memory resources
The exploitation does not require any user interaction and can be performed by any unauthenticated remote attacker with network access to the vulnerable application.
Detection Methods for CVE-2026-33332
Indicators of Compromise
- Unusual memory consumption spikes on servers running NiceGUI applications
- Multiple concurrent requests to media file endpoints with abnormal query parameters
- Server performance degradation or out-of-memory errors correlating with media file requests
- Application crashes or restarts due to memory exhaustion
Detection Strategies
- Monitor server memory utilization for sudden spikes during media file requests
- Implement logging for query parameters passed to app.add_media_file() and app.add_media_files() endpoints
- Set up alerting for abnormal patterns of concurrent requests to media routes
- Review web server access logs for repeated requests to media endpoints with unusual query strings
Monitoring Recommendations
- Configure memory usage thresholds and alerts on servers hosting NiceGUI applications
- Implement rate limiting on media file endpoints to prevent resource exhaustion attacks
- Monitor for application restarts or crashes that may indicate successful exploitation
- Track request patterns to media endpoints for anomalous behavior
How to Mitigate CVE-2026-33332
Immediate Actions Required
- Upgrade NiceGUI to version 3.9.0 or later immediately
- Review application deployments to identify all instances running vulnerable versions
- Consider temporarily disabling or restricting access to media file endpoints if immediate patching is not possible
- Implement network-level rate limiting on media file routes as a temporary measure
Patch Information
Zauberzeug has addressed this vulnerability in NiceGUI version 3.9.0. The fix includes proper validation of the query parameter that controls file streaming behavior. Organizations should update to this version or later to remediate the vulnerability.
For detailed information on the security fix, refer to the GitHub Security Advisory GHSA-w5g8-5849-vj76 and the patch commit. The updated release is available at NiceGUI v3.9.0.
Workarounds
- Implement a reverse proxy or web application firewall to filter and validate query parameters on media routes
- Apply network-level rate limiting to restrict concurrent requests to media file endpoints
- Configure server memory limits and implement automatic restart policies to maintain availability during attack attempts
- Restrict access to media file endpoints using authentication or IP-based access controls until patching is complete
# Example: Configure rate limiting with nginx for media endpoints
# Add to nginx server block configuration
location ~ ^/media/ {
limit_req zone=media_limit burst=10 nodelay;
limit_req_zone $binary_remote_addr zone=media_limit:10m rate=5r/s;
proxy_pass http://nicegui_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
