CVE-2025-53354 is a Cross-Site Scripting (XSS) vulnerability affecting versions 2.24.2 and below of NiceGUI, a Python-based UI framework developed by zauberzeug. The vulnerability arises because NiceGUI's ui.html() component does not enforce sanitization of HTML or JavaScript content when rendering user input into the DOM. Specifically, when developers use ui.html() to render unescaped user input, or combine components such as ui.input() or ui.chat_message with HTML content without proper escaping, attackers can inject and execute arbitrary JavaScript code in the context of the victim's browser. This improper neutralization of input during web page generation corresponds to CWE-79. The vulnerability requires user interaction (e.g., a user visiting a maliciously crafted page or inputting malicious content) but does not require authentication or elevated privileges. The CVSS v3.1 score is 6.1 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and a scope change with partial confidentiality and integrity impact but no availability impact. The issue is fixed in NiceGUI version 3.0.0. Applications that do not pass untrusted input into ui.html() are not affected. There are no known exploits in the wild at the time of publication.

For European organizations using NiceGUI versions prior to 3.0.0, this vulnerability poses a risk of client-side script injection leading to session hijacking, credential theft, defacement, or unauthorized actions performed on behalf of users. Since NiceGUI is a UI framework, the impact depends heavily on how developers use it; applications that directly render unescaped user input into the DOM are vulnerable. The confidentiality and integrity of user data can be compromised, potentially exposing sensitive information or enabling further attacks such as phishing or lateral movement within internal networks. The vulnerability does not affect availability directly but can undermine user trust and compliance with data protection regulations such as GDPR if personal data is exposed. European organizations in sectors with high web application usage, such as finance, healthcare, and government, may face reputational damage and regulatory penalties if exploited. The requirement for user interaction limits automated exploitation but targeted attacks against employees or customers remain feasible.

European organizations should immediately upgrade all NiceGUI deployments to version 3.0.0 or later, where the vulnerability is fixed. Until upgrades are completed, developers must audit their applications to identify any use of ui.html() or ui.chat_message components that render user input without proper escaping or sanitization. Input validation and output encoding should be implemented rigorously to neutralize any HTML or JavaScript content before rendering. Employ Content Security Policy (CSP) headers to restrict the execution of unauthorized scripts in browsers. Additionally, security teams should monitor web application logs for suspicious input patterns and user behavior indicative of XSS attempts. User education on phishing and suspicious links can reduce the risk from social engineering vectors. Finally, incorporate automated security testing tools that detect XSS vulnerabilities during development and deployment cycles to prevent recurrence.