CVE-2024-24762

Advisory

Nicegui version 1.4.16 increases the required version of python-multipart to 0.0.7. This update addresses the Regular Expression Denial of Service (ReDoS) vulnerability associated with the Content-Type header, detailed in CVE-2024-24762.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

New features and enhancements

- Introduce [`ui.navigate`](https://nicegui.io/documentation/navigate) module to replace `ui.open` (#2575, 2593 by ZeroCool940711, falkoschindler, rodja)
- Introduce [`ui.restructured_text`](https://nicegui.io/documentation/restructured_text) element (#2561 by ZeroCool940711, falkoschindler)
- Support [other tags](https://nicegui.io/documentation/html#producing_in-line_elements) than div for [`ui.html`](https://nicegui.io/documentation/html) (#2610 by kleynjan)
- Introduce a pure [JavaScript event handler](https://nicegui.io/documentation/run_javascript#run_async_javascript) (2383, 2536 by WSH032, falkoschindler, rodja)
- Allow awaiting the "init" event of [`ui.leaflet` (map)](https://nicegui.io/documentation/leaflet) and [`ui.scene` (3d)](https://nicegui.io/documentation/scene) (#2500, 2606 by elkarouh, kleynjan, falkoschindler, rodja)
- Support [GLTF meshes in `ui.scene`](https://nicegui.io/documentation/scene) elements (#2532 by fabian0702, falkoschindler)
- Add On Air support for [`ui.run_with`](https://github.com/zauberzeug/nicegui/blob/1d2310842cb9153f8d5250a483a9bfc8ddb5d4cc/examples/fastapi/frontend.py#L15C5-L19C6) (2526, 2546 by csrubin, falkoschindler)

Bugfixes

- Fix binding removal for non-hashable objects (2540, 2544 by kleynjan, falkoschindler)
- Fix order of removing elements when client disconnects (2589, 2603 by Johannes-)
- Fix RecursionError when deleting [`ui.leaflet`](https://nicegui.io/documentation/leaflet) elements (#2587, 2609 by thickmn, falkoschindler)
- Fix layer events and `run_layer_method` for [`ui.leaflet`](https://nicegui.io/documentation/leaflet) (#2500, 2557 by elkarouh, kleynjan, falkoschindler)
- Fix modifiers on key event for [`ui.interactive_image()`](https://nicegui.io/documentation/interactive_image) (#2530 by masrab, falkoschindler)
- Fix `.tooltip()` ignoring `default_classes` from [`ui.tooltip`](https://nicegui.io/documentation/tooltip) (#2554 by h0uter, falkoschindler)
- Raise minimum version of `python-multipart` to avoid Content-Type Header ReDoS (2569 by svfoxat)

Documentation

- Show a content preview when using the search dialog (2547 by ZeroCool940711, rodja, falkoschindler)
- Use more specific page titles for individual documentation pages (2583, 2607 by bandit-masked, falkoschindler)
- Add tooltips to the search and theme buttons (2539 by ZeroCool940711)
- Add a demo for custom icon sets (2617, 2620 by me21, falkoschindler)
- Add a toggleable button demo (2615 by rodja)
- Add demo on how to update markdown content (2584, 2592 by Anindya088, falkoschindler, rodja)
- Add sponsor button to the website (2572 by rodja)
- Provide infos about our coding style (2564 by rodja)

Resources

• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24762
• https://github.com/zauberzeug/nicegui/pull/2569/commits/89fefcb086bdc8a3e9159585627d7bba773f8a62