CVE-2025-66645 is a path traversal vulnerability classified under CWE-22 affecting the NiceGUI Python UI framework, specifically versions 3.3.1 and earlier. The vulnerability resides in the App.add_media_files() function, which fails to properly restrict pathname inputs to a designated directory. This improper limitation allows a remote attacker to craft requests that traverse directories on the server filesystem, enabling unauthorized reading of arbitrary files. Exploitation requires no authentication or user interaction and can be performed remotely over the network, increasing the attack surface. The vulnerability compromises confidentiality by exposing sensitive files such as configuration files, credentials, or other critical data stored on the server. The flaw does not impact integrity or availability directly but poses a significant risk due to potential information disclosure. The vendor has addressed this issue in version 3.4.0 by implementing proper input validation and directory restriction controls. Although no exploits have been observed in the wild yet, the vulnerability’s characteristics make it a likely target for attackers seeking to gather intelligence or escalate attacks. The CVSS v3.1 base score of 7.5 reflects the vulnerability’s high impact and low complexity of exploitation.

For European organizations, this vulnerability poses a substantial risk to data confidentiality, particularly for entities using NiceGUI in web applications or internal tools. Exposure of sensitive files could lead to leakage of intellectual property, user credentials, or system configuration details, potentially facilitating further attacks such as privilege escalation or lateral movement. Industries with high regulatory requirements around data protection, including finance, healthcare, and government sectors, face increased compliance risks if such data is exposed. The ease of remote exploitation without authentication means attackers can operate stealthily and at scale. Additionally, organizations relying on NiceGUI for customer-facing applications risk reputational damage if breaches occur. The vulnerability’s presence in open-source frameworks also raises concerns about supply chain security, as many European companies integrate such components into their software stacks.

The primary mitigation is to upgrade all instances of NiceGUI to version 3.4.0 or later, where the vulnerability is fixed. Organizations should audit their software inventories to identify deployments of affected NiceGUI versions. For environments where immediate upgrading is not feasible, implementing strict network segmentation and access controls to limit exposure of the NiceGUI service can reduce risk. Web application firewalls (WAFs) can be configured to detect and block path traversal patterns targeting the add_media_files() endpoint. Additionally, monitoring server logs for unusual file access patterns or directory traversal attempts can provide early detection of exploitation attempts. Developers should review and harden input validation routines in custom code interacting with NiceGUI. Finally, organizations should incorporate this vulnerability into their incident response plans and ensure timely patch management processes are in place to address similar future risks.