Headline
GHSA-2m4f-cg75-76w2: NiceGUI Stored/Reflected XSS in ui.interactive_image via unsanitized SVG content
Summary
A Cross-Site Scripting (XSS) vulnerability exists in the ui.interactive_image component of NiceGUI (v3.3.1 and earlier). The component renders SVG content using Vue’s v-html directive without any sanitization. This allows attackers to inject malicious HTML or JavaScript via the SVG <foreignObject> tag.
Details
The vulnerability is located in nicegui/elements/interactive_image.js.
The component uses the following code to render content:
<g v-html="content"></g>
Vue’s v-html directive renders raw HTML strings into the DOM. If an application allows user-controlled input to be passed to the content property of an interactive image, an attacker can embed a <foreignObject> tag containing malicious scripts, bypassing typical image restrictions.
PoC
from nicegui import ui
@ui.page('/')
def main():
ui.label('NiceGUI SVG XSS PoC')
# Standard image loading
img = ui.interactive_image('[https://picsum.photos/640/360](https://picsum.photos/640/360)')
# Payload: Embeds raw HTML execution inside SVG
# This executes immediately when the image component is rendered
img.content = (
'<foreignObject>'
'<body xmlns="[http://www.w3.org/1999/xhtml](http://www.w3.org/1999/xhtml)">'
'<img src=x onerror=alert("XSS-SVG")>'
'</body>'
'</foreignObject>'
)
ui.run()
Impact
Type: Reflected / Stored XSS (depending on data source)
Severity: Moderate
Impact: Attackers can inject malicious scripts that execute whenever the image component is rendered or updated. This is particularly dangerous for dashboards or multi-user applications displaying user-generated content or annotations.
Summary
A Cross-Site Scripting (XSS) vulnerability exists in the ui.interactive_image component of NiceGUI (v3.3.1 and earlier). The component renders SVG content using Vue’s v-html directive without any sanitization. This allows attackers to inject malicious HTML or JavaScript via the SVG <foreignObject> tag.
Details
The vulnerability is located in nicegui/elements/interactive_image.js.
The component uses the following code to render content:
Vue’s v-html directive renders raw HTML strings into the DOM. If an application allows user-controlled input to be passed to the content property of an interactive image, an attacker can embed a tag containing malicious scripts, bypassing typical image restrictions.
PoC
from nicegui import ui
@ui.page(‘/’) def main(): ui.label(‘NiceGUI SVG XSS PoC’)
\# Standard image loading
img \= ui.interactive\_image('\[https://picsum.photos/640/360\](https://picsum.photos/640/360)')
\# Payload: Embeds raw HTML execution inside SVG
\# This executes immediately when the image component is rendered
img.content \= (
'<foreignObject>'
'<body xmlns="\[http://www.w3.org/1999/xhtml\](http://www.w3.org/1999/xhtml)">'
'<img src=x onerror=alert("XSS-SVG")>'
'</body>'
'</foreignObject>'
)
ui.run()
Impact
Type: Reflected / Stored XSS (depending on data source)
Severity: Moderate
Impact: Attackers can inject malicious scripts that execute whenever the image component is rendered or updated. This is particularly dangerous for dashboards or multi-user applications displaying user-generated content or annotations.
References
- GHSA-2m4f-cg75-76w2
- zauberzeug/nicegui@58ad0b3