CVE-2025-21618

High

Published: 06 January 2025

Published

06 January 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

EPSS Score 0.0017 38.3th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

NiceGUI is an easy-to-use, Python-based UI framework. Prior to 2.9.1, authenticating with NiceGUI logged in the user for all browsers, including browsers in incognito mode. This vulnerability is fixed in 2.9.1.

Security Summary

CVE-2025-21618 affects NiceGUI, an easy-to-use Python-based UI framework, in versions prior to 2.9.1. The vulnerability stems from an improper authentication mechanism (CWE-287) where user authentication results in logging in the user across all browsers, including those in incognito mode. This flaw has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), indicating high severity due to its network accessibility and integrity impact.

Remote attackers require no privileges or user interaction to exploit this vulnerability over the network with low complexity. Successful exploitation allows attackers to achieve high integrity impact, enabling unauthorized actions such as impersonation or manipulation of authenticated sessions across multiple browser instances, including isolated incognito sessions.

The issue is addressed in NiceGUI version 2.9.1. For details, refer to the security advisory at https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v6jv-p6r8-j78w and the fixing commit at https://github.com/zauberzeug/nicegui/commit/1621a4ba6a06676b8094362d36623551e651adc1.

Details

CWE(s): CWE-287

References

https://github.com/zauberzeug/nicegui/commit/1621a4ba6a06676b8094362d36623551e651adc1
security-advisories@github.com
https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v6jv-p6r8-j78w
security-advisories@github.com