chore(deps): update dependency nicegui to v3.12.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
nicegui (changelog)	3.11.1 → 3.12.0

---

NiceGUI: Local file disclosure via Docutils file insertion in ui.restructured_text()

CVE-2026-45553 / GHSA-jfrm-rx66-g536

More information

Details

Summary

ui.restructured_text() renders reStructuredText server-side with Docutils without disabling file insertion directives.

When a NiceGUI application passes attacker-controlled content to ui.restructured_text(), an attacker can use standard Docutils directives (include, csv-table with :file:, raw with :file:) to read local files readable by the NiceGUI server process.

Applications that only pass trusted static strings to ui.restructured_text() are not affected.

Details

The affected component is the reStructuredText renderer:

• File: nicegui/elements/restructured_text.py
• Function: prepare_content()

prepare_content() renders user-supplied reStructuredText through Docutils:

html = publish_parts(
    remove_indentation(content),
    writer_name='html4',
    settings_overrides={'syntax_highlight': 'short'},
)

The Docutils call only sets syntax_highlight. It does not disable file insertion or raw directives, so Docutils processes directives that read local files and embed their contents into the generated HTML before it is returned to the browser. Frontend sanitization cannot prevent this because the file has already been read server-side.

A minimal vulnerable usage pattern is any page that forwards untrusted input into ui.restructured_text(), e.g. content taken from query parameters, form fields, or other user-controlled sources.

Impact

Local file disclosure. An attacker who can supply reStructuredText content can read files accessible to the NiceGUI server process. Depending on deployment, this may expose:

• application .env files
• database URLs, API tokens, session/storage secrets
• OAuth or cloud credentials
• Docker or Kubernetes mounted secrets
• application source files
• logs and other process-readable files

The confirmed impact is confidentiality loss through arbitrary local file read. Applications are only impacted when they pass untrusted or user-controlled reStructuredText into ui.restructured_text().

Recommended fix

Disable unsafe Docutils features in prepare_content():

html = publish_parts(
    remove_indentation(content),
    writer_name='html4',
    settings_overrides={
        'syntax_highlight': 'short',
        'file_insertion_enabled': False,
        'raw_enabled': False,
        '_disable_config': True,
    },
)

This blocks the include, csv-table :file:, and raw :file: directives as well as local docutils.conf overrides.

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

• https://github.com/zauberzeug/nicegui/security/advisories/GHSA-jfrm-rx66-g536
• https://github.com/advisories/GHSA-jfrm-rx66-g536

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routes

CVE-2026-45554 / GHSA-pq7c-x8g4-rvp6

More information

Details

Summary

Two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette's FileResponse, which Uvicorn writes to the server log as a full traceback. Because the routes are reachable without authentication, a remote attacker can amplify log volume and consume disk and log-pipeline capacity on any publicly reachable NiceGUI server. There is no impact to confidentiality or integrity.

Details

The affected routes are the per-component resource route (added in v1.4.6) and the ESM module route (added in v3.0.0). Both join a user-supplied path segment with a registered base directory and pass the result to FileResponse. The existing existence check uses pathlib.Path.exists(), which returns True for directories — so a request whose sub-path resolves to a directory passes the guard and triggers an unhandled exception inside Starlette.

FastAPI has no default handler for RuntimeError, so each such request results in a 500 response and a multi-frame traceback in the server log.

Other NiceGUI-served paths (/static/..., /components/..., /libraries/...) are not affected; they do not use the same sub-path-to-FileResponse pattern.

Impact

A remote, unauthenticated attacker can repeatedly trigger the error condition with crafted requests. Each request emits roughly 100 lines of traceback in a default setup, and more when additional middleware layers are present. At sustained request rates this can:

• exhaust disk space on hosts with default log retention,
• saturate downstream log-shipping pipelines,
• generate alert fatigue or mask other events in monitoring.

There is no remote code execution, no path traversal, and no data exposure beyond the absolute installation path that already appears in any uncaught exception trace.

Workarounds

For deployments that cannot upgrade immediately:

• Place NiceGUI behind a reverse proxy that rejects requests where the path after /_nicegui/<version>/esm/<key>/ or /_nicegui/<version>/resources/<key>/ is empty.
• Rate-limit the /_nicegui/ prefix at the proxy.
• Configure log rotation aggressively for the affected service.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/zauberzeug/nicegui/security/advisories/GHSA-pq7c-x8g4-rvp6
• https://github.com/advisories/GHSA-pq7c-x8g4-rvp6

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

zauberzeug/nicegui (nicegui)

v3.12.0

Compare Source

Security

• ⚠️ Prevent local file disclosure in ui.restructured_text via Docutils file insertion directives (GHSA-jfrm-rx66-g536 by @​dennyabrahamsinaga, @​h3ri0s, @​falkoschindler, @​evnchn)
• ⚠️ Prevent unauthenticated log-volume denial of service in dynamic resource and ESM module routes (GHSA-pq7c-x8g4-rvp6 by @​bitinerant, @​evnchn, @​falkoschindler)

New features and enhancements

• Make enable(), disable(), set_enabled(), set_visibility() and many more methods chainable (#​6014, #​6016 by @​stragrothsk, @​falkoschindler, @​evnchn)
• Auto-dedent ui.mermaid content like ui.markdown does (#​6011, #​6012 by @​BasementSociety, @​falkoschindler, @​evnchn)
• Suppress alarming KeyboardInterrupt traceback from run.cpu_bound workers on Ctrl-C (#​6025, #​6027 by @​justus2510, @​falkoschindler, @​evnchn)

Bugfixes

• Fix RuntimeError: A SemLock created in a fork context is being shared with a process in a spawn context in ui.run(native=True, reload=True) on CPython ≥ 3.11.5 (#​1841, #​6045 by @​swrpug, @​evnchn, @​falkoschindler, @​rodja, @​JensOgorek, @​yuanxion, @​electronstudio, @​knoppmyth, @​Qhawaq, @​sagarbehere, @​frankhuurman, @​MrGibus, @​BanDroid)
• Fix KeyError: 'error' when calling ValidationElement.validate() after the error prop was removed via props(remove=...) (#​5977, #​6042 by @​manu-ns, @​falkoschindler, @​evnchn)
• Fix silent window.location.reload() on every WebSocket reconnect (#​6018, #​6019 by @​arodidev, @​falkoschindler, @​evnchn)
• Resolve ElementFilter.DEFAULT_LOCAL_SCOPE at runtime so changing the class variable actually affects new instances (#​6005, #​6013 by @​gzu300, @​DarkRiddle1212, @​falkoschindler)
• Fix duplicate app.timer and lifecycle handler (on_connect, on_disconnect, on_delete, on_shutdown, on_exception) registration in script mode (#​6003, #​6006 by @​EchterTimo, @​falkoschindler, @​evnchn)
• Preserve a meaningful DataFrame index in ui.aggrid.from_pandas and ui.table.from_pandas (#​5995, #​6002 by @​NichtJens, @​DarkRiddle1212, @​falkoschindler, @​evnchn)
  Note: DataFrames with an informative index now produce additional column(s) in the resulting grid/table. To restore the previous "drop the index" behavior, call df.reset_index(drop=True) before passing the DataFrame.
• Bracket IPv6 hosts and omit default ports in printed URLs (#​5996 by @​bulletmark, @​falkoschindler, @​evnchn)
• Fix ui.code reporting the wrong language and throwing a ReferenceError in the CodeMirror findLanguage error path (#​5982 by @​Jepson2k, @​falkoschindler)
• Fix material settings not applying to GLTF models in ui.scene (#​3515, #​5708 by @​maria-korosteleva, @​evnchn, @​falkoschindler, @​fabian0702)

Documentation

• Add llms.md — a self-contained LLM reference covering NiceGUI's API surface, mental models, and common anti-patterns for AI-assisted development (#​6021, #​6049 by @​joko-zauberzeug, @​falkoschindler, @​evnchn, @​rodja)
• Restructure CONTRIBUTING.md around the contributor journey, drop rule duplication, and split out a new "For maintainers" section (#​6029 by @​falkoschindler, @​evnchn)
• Restructure AI agent instructions: extract code-review guidance into REVIEW.md, trim AGENTS.md, and tighten Cursor/Copilot prompts (#​6030 by @​falkoschindler, @​evnchn)
• Document packaging with Nuitka (#​6009, #​6010 by @​SHDocter, @​falkoschindler, @​evnchn)
• Improve authentication example (#​6046 by @​NichtJens, @​evnchn, @​falkoschindler)
• Improve Sortable documentation (#​6017 by @​falkoschindler, @​denniswittich)
• Clarify the client_id security model and add an "Examples Are Starting Points" callout (#​6004 by @​evnchn, @​falkoschindler)
• Fix Nested ui.sub_pages doc demo link target and label (#​5999, #​6008 by @​aisartag, @​falkoschindler, @​evnchn)

Testing

• Fix click handler dispatch in user simulation (#​6043 by @​Jepson2k, @​falkoschindler, @​evnchn)
  Note 1: Click handlers on ui.checkbox and ui.switch now receive e.args = None instead of not element.value; read e.sender.value (or use on_value_change) for the post-toggle value.
  Note 2: Also, find(...).click() no longer broadcasts to every matched element — it picks the lowest-ID enabled match and dispatches once. Tests that relied on simultaneous multi-match clicks need to issue separate calls.
• Implement ui.sub_pages navigation in user-simulated tests (#​5193 by @​rodja, @​falkoschindler)

Dependencies

• Bump Mermaid from 11.12.2 to 11.15.0 to consume upstream security patches (#​6047 by @​falkoschindler, @​evnchn)

Infrastructure

• Use uv sync --locked in CI workflows so lockfile drift fails fast with a clear diagnostic (#​6036 by @​evnchn, @​falkoschindler)
• Use uv sync --locked in Copilot setup steps for deterministic agent boot environments (#​6040 by @​evnchn, @​falkoschindler)
• Switch Dependabot from the pip ecosystem to uv (#​6037 by @​evnchn, @​falkoschindler)
• Declare PyPI trove classifiers so NiceGUI appears in PyPI's faceted search (#​6041 by @​evnchn, @​falkoschindler)
• Expand [project.urls] with PEP 753 well-known labels (#​6039 by @​evnchn, @​falkoschindler)

---

Special thanks to our top sponsors TestMu AI, Lechler GmbH and joet-s ✨

and all our other sponsors and contributors for supporting this project!

🙏 Want to support this project? Check out our GitHub Sponsors page to help us keep building amazing features!

---

Configuration

📅 Schedule: (in timezone Europe/Berlin)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ All tests successful. No failed tests found.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud