Product Research Enterprise Plans Docs

PyPi: Nicegui

CVE-2024-24762

Transitive

Safety vulnerability ID: 65677

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Feb 05, 2024 Updated at May 13, 2024

Scan your Python projects for vulnerabilities →

Advisory

Nicegui version 1.4.16 increases the required version of python-multipart to 0.0.7. This update addresses the Regular Expression Denial of Service (ReDoS) vulnerability associated with the Content-Type header, detailed in CVE-2024-24762.
https://github.com/zauberzeug/nicegui/pull/2569/commits/89fefcb086bdc8a3e9159585627d7bba773f8a62

Affected package

nicegui

Latest version: 1.4.25

Create web-based user interfaces with Python. The nice way.

Affected versions

Fixed versions

Vulnerability changelog

New features and enhancements

- Introduce [`ui.navigate`](https://nicegui.io/documentation/navigate) module to replace `ui.open` (#2575, 2593 by ZeroCool940711, falkoschindler, rodja)
- Introduce [`ui.restructured_text`](https://nicegui.io/documentation/restructured_text) element (#2561 by ZeroCool940711, falkoschindler)
- Support [other tags](https://nicegui.io/documentation/html#producing_in-line_elements) than div for [`ui.html`](https://nicegui.io/documentation/html) (#2610 by kleynjan)
- Introduce a pure [JavaScript event handler](https://nicegui.io/documentation/run_javascript#run_async_javascript) (2383, 2536 by WSH032, falkoschindler, rodja)
- Allow awaiting the "init" event of [`ui.leaflet` (map)](https://nicegui.io/documentation/leaflet) and [`ui.scene` (3d)](https://nicegui.io/documentation/scene) (#2500, 2606 by elkarouh, kleynjan, falkoschindler, rodja)
- Support [GLTF meshes in `ui.scene`](https://nicegui.io/documentation/scene) elements (#2532 by fabian0702, falkoschindler)
- Add On Air support for [`ui.run_with`](https://github.com/zauberzeug/nicegui/blob/1d2310842cb9153f8d5250a483a9bfc8ddb5d4cc/examples/fastapi/frontend.py#L15C5-L19C6) (2526, 2546 by csrubin, falkoschindler)

Bugfixes

- Fix binding removal for non-hashable objects (2540, 2544 by kleynjan, falkoschindler)
- Fix order of removing elements when client disconnects (2589, 2603 by Johannes-)
- Fix RecursionError when deleting [`ui.leaflet`](https://nicegui.io/documentation/leaflet) elements (#2587, 2609 by thickmn, falkoschindler)
- Fix layer events and `run_layer_method` for [`ui.leaflet`](https://nicegui.io/documentation/leaflet) (#2500, 2557 by elkarouh, kleynjan, falkoschindler)
- Fix modifiers on key event for [`ui.interactive_image()`](https://nicegui.io/documentation/interactive_image) (#2530 by masrab, falkoschindler)
- Fix `.tooltip()` ignoring `default_classes` from [`ui.tooltip`](https://nicegui.io/documentation/tooltip) (#2554 by h0uter, falkoschindler)
- Raise minimum version of `python-multipart` to avoid Content-Type Header ReDoS (2569 by svfoxat)

Documentation

- Show a content preview when using the search dialog (2547 by ZeroCool940711, rodja, falkoschindler)
- Use more specific page titles for individual documentation pages (2583, 2607 by bandit-masked, falkoschindler)
- Add tooltips to the search and theme buttons (2539 by ZeroCool940711)
- Add a demo for custom icon sets (2617, 2620 by me21, falkoschindler)
- Add a toggleable button demo (2615 by rodja)
- Add demo on how to update markdown content (2584, 2592 by Anindya088, falkoschindler, rodja)
- Add sponsor button to the website (2572 by rodja)
- Provide infos about our coding style (2564 by rodja)

Resources

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24762

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): NONE
Integrity Impact (I): NONE
Availability Availability (A): HIGH