CVE-2026-33332 is a vulnerability in the NiceGUI framework, a Python-based UI toolkit, affecting versions prior to 3.9.0. The issue arises from improper input validation (CWE-20) in the handling of user-supplied query parameters in the app.add_media_file() and app.add_media_files() media routes. These parameters control how media files are read during HTTP streaming responses. Specifically, the parameter is passed unchecked to the range-response implementation, allowing attackers to bypass the intended chunked streaming mechanism. Instead of streaming media files in manageable chunks, the server is forced to load entire files into memory at once. This behavior can lead to excessive memory consumption, which under conditions of large media files and multiple concurrent requests, may degrade server performance or cause denial of service (CWE-770). The vulnerability requires no authentication or user interaction, making it remotely exploitable over the network. The issue was publicly disclosed and assigned CVE-2026-33332 with a CVSS 4.0 base score of 6.9 (medium severity). The vulnerability has been addressed in NiceGUI version 3.9.0 by validating input parameters to prevent bypassing chunked streaming. No known exploits have been reported in the wild to date.

The primary impact of this vulnerability is on availability and performance of systems running vulnerable NiceGUI versions. Attackers can exploit the flaw to cause excessive memory consumption by forcing the server to load entire large media files into memory simultaneously. This can degrade server responsiveness, increase latency, and potentially cause denial of service conditions, especially under high concurrency. Organizations relying on NiceGUI for media streaming in web applications may experience service outages or degraded user experience. While confidentiality and integrity are not directly impacted, the availability disruption can affect business continuity and user trust. The vulnerability is remotely exploitable without authentication, increasing the attack surface. Systems with limited memory resources or those serving large media files are at higher risk. The lack of known exploits reduces immediate risk, but the vulnerability should be addressed proactively to prevent potential abuse.

1. Upgrade NiceGUI to version 3.9.0 or later, where the vulnerability is patched with proper input validation to prevent bypassing chunked streaming. 2. Implement strict input validation and sanitization on all user-controlled parameters related to media streaming, even beyond the framework's built-in protections. 3. Employ rate limiting and request throttling on media routes to reduce the risk of resource exhaustion from concurrent requests. 4. Monitor server memory usage and set alerts for abnormal spikes that could indicate exploitation attempts. 5. Use web application firewalls (WAFs) to detect and block suspicious query parameters or unusually large streaming requests. 6. Conduct regular security assessments and code reviews focusing on input validation and resource management in media handling components. 7. Isolate media streaming services in containers or separate environments with resource limits to contain potential impact. 8. Educate developers on secure coding practices related to streaming and input validation to prevent similar issues in future.