NiceGUI: Upload filename sanitization bypass via backslashes allows path traversal on Windows

Description

Summary

The upload filename sanitization introduced in GHSA-9ffm-fxg3-xrhh uses PurePosixPath(filename).name to strip path components. Since PurePosixPath only recognizes forward slashes (/) as path separators, an attacker can bypass this sanitization on Windows by using backslashes (\) in the upload filename.

Applications that construct file paths using file.name (a pattern demonstrated in NiceGUI's bundled examples) are vulnerable to arbitrary file write on Windows.

Details

The sanitization in nicegui/elements/upload_files.py uses:

filename = PurePosixPath(upload.filename or '').name

PurePosixPath treats backslashes as literal characters, not path separators:

>>> PurePosixPath('..\\..\\secret\\evil.txt').name
'..\\..\\secret\\evil.txt'  # Not stripped!

When this filename is used in a path operation on Windows (e.g., Path('uploads') / file.name), Windows Path interprets backslashes as directory separators, resolving the path outside the intended directory.

Impact

On Windows deployments of NiceGUI applications that use file.name in path construction:

  • Arbitrary file write outside the intended upload directory
  • Potential remote code execution through overwriting application files or placing executables in known locations
  • Data integrity loss through overwriting existing files

Linux and macOS are not affected, as they treat backslashes as literal filename characters.

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2026-04-08 15:04:13 UTC
Updated
2026-04-09 14:28:48 UTC
GitHub reviewed
2026-04-08 15:04:13 UTC
NVD published
2026-04-08

EPSS Score

Score Percentile
0.06% 18.26%

CVSS Scores

Base score Version Severity Vector
5.9 3.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:H)
Even with access, the exploit needs extra luck, timing, or a fussy environment to actually work.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:U)
Damage stays in the same “trust bubble” as the broken component—no big spill into unrelated systems.
Confidentiality (C:N)
Doesn’t really leak secrets in a meaningful way.
Integrity (I:H)
They could widely tamper with or forge data—trust in the data is badly hurt.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Credits

  • offset (reporter)
  • evnchn (remediation_developer)
  • falkoschindler (remediation_reviewer)

Affected packages (1)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
pip nicegui <= 3.9.0 3.10.0

References

cvelogic Threat Intelligence