CVE-2026-25732 — AI Deep Analysis Summary

🚨 **Vulnerability Essence**: NiceGUI's `FileUpload.name` does not filter client-side filenames, leading to path traversal.…

🔍 **Root Cause**: CWE-22 (Path Traversal). The framework directly exposes `file.name` without filtering special characters like `../`, and developers misusing `UPLOAD_DIR / file.name` trigger the vulnerability.

⚠️ **Affected Component**: NiceGUI framework. ✅ **Affected Versions**: All versions prior to 3.7.0. 🛡️ **Secure Version**: Fixed in 3.7.0+.

🎯 **What Attackers Can Do**: Write to arbitrary files (e.g., `/etc/passwd`, `/app/main.py`). If critical application files are overwritten, arbitrary code execution (RCE) is possible.…

🔓 **Exploitation Difficulty**: Low! No authentication or interaction required. Exploitable as long as the frontend upload feature is exposed and code directly uses `file.name` to construct paths.

❌ **No Ready-to-Use Exploit**: PoC not provided. However, the attack logic is simple—manually construct malicious filenames (e.g., `../../app.py`) to test.

🔍 **Self-Check Method**: Search for `file.name` being directly used in path concatenation. 🔍 **Indicators**: `UPLOAD_DIR / file.name`, `os.path.join(UPLOAD_DIR, file.name)`, etc.…

✅ **Official Fix Applied**: Fixed in version 3.7.0 with added filename filtering. 🛡️ **Mitigation**: Upgrade to 3.7.0+.

🛡️ **Temporary Workarounds**: ✅ Apply security filtering on `file.name` (e.g., allow only letters, digits, dots, underscores). ✅ Use auto-generated filenames (e.g., UUID). ✅ Restrict upload directory permissions.

🔥 **Priority: High!** Arbitrary file write + RCE risk. Especially critical for applications deployed on the public internet—immediate upgrade or temporary hardening recommended.