CVE-2025-66645 is a path traversal vulnerability classified under CWE-22 found in the NiceGUI Python UI framework, specifically in versions 3.3.1 and earlier. The vulnerability exists in the App.add_media_files() function, which fails to properly limit pathnames to a restricted directory. This flaw allows remote attackers to craft specially designed requests that traverse directories on the server filesystem, enabling unauthorized reading of arbitrary files. The attack vector is network-based, requiring no authentication or user interaction, making exploitation straightforward. The vulnerability compromises confidentiality by exposing potentially sensitive files, but does not affect integrity or availability. The issue was publicly disclosed on December 9, 2025, and fixed in version 3.4.0 of NiceGUI. Although no known exploits are currently in the wild, the ease of exploitation and high impact make it a critical risk for affected deployments. Organizations using NiceGUI in web-facing or internal applications should consider this a priority vulnerability. The lack of integrity or availability impact means attackers cannot modify or disrupt services but can gain sensitive information, which could lead to further attacks or data breaches.

For European organizations, the primary impact is the unauthorized disclosure of sensitive information stored on servers running vulnerable NiceGUI versions. This can include configuration files, credentials, personal data, or intellectual property, leading to data breaches and compliance violations under GDPR. The vulnerability's remote, unauthenticated nature increases the risk of widespread exploitation, especially in internet-facing applications. Confidentiality loss can facilitate further attacks such as privilege escalation or lateral movement within networks. Organizations in sectors like finance, healthcare, and government, which often handle sensitive data, face heightened risks. Additionally, reputational damage and regulatory penalties could result from exploitation. Since NiceGUI is a Python-based framework, organizations leveraging Python for rapid UI development are particularly vulnerable. The absence of integrity or availability impact limits the threat to data exposure rather than service disruption, but the severity remains high due to the sensitivity of exposed data.

The primary mitigation is to upgrade all NiceGUI deployments to version 3.4.0 or later, where the vulnerability is patched. Organizations should audit their use of the App.add_media_files() function and ensure no legacy versions remain in production or development environments. Implement strict access controls and network segmentation to limit exposure of NiceGUI applications, especially those accessible from the internet. Employ web application firewalls (WAFs) with custom rules to detect and block path traversal attempts targeting media file endpoints. Conduct thorough file system permission reviews to minimize sensitive file exposure even if traversal occurs. Monitor logs for suspicious access patterns indicative of path traversal exploitation attempts. Educate developers on secure coding practices to avoid similar directory traversal flaws. Finally, integrate vulnerability scanning and automated patch management to promptly address future vulnerabilities in third-party frameworks.