CVE-2025-48495
📋 TL;DR
This CVE describes a stored cross-site scripting (XSS) vulnerability in Gokapi file sharing server where authenticated users can inject JavaScript into API key names. The injected code executes when other users view the API tab. All authenticated users in versions before 2.0.0 are affected due to lack of permission controls and shared encryption keys.
💻 Affected Systems
- Gokapi
📦 What is this software?
Gokapi by Forceu
Gokapi by Forceu
Gokapi by Forceu
⚠️ Risk & Real-World Impact
Worst Case
Malicious authenticated user could steal session cookies, perform actions as other users, or deploy malware to client browsers of all other authenticated users.
Likely Case
Authenticated attacker steals session tokens or credentials from other users viewing the API tab, potentially gaining full administrative access.
If Mitigated
With proper input validation and output encoding, no code execution occurs and user data remains protected.
🎯 Exploit Status
Exploitation requires authenticated access but is straightforward - simply rename an API key with malicious JavaScript payload.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.0
Vendor Advisory: https://github.com/Forceu/Gokapi/security/advisories/GHSA-4xg4-54hm-9j77
Restart Required: Yes
Instructions:
1. Backup your Gokapi configuration and data. 2. Download Gokapi v2.0.0 or later from official repository. 3. Replace existing installation with new version. 4. Restart the Gokapi service.
🔧 Temporary Workarounds
Avoid API Page Access
allDo not open the API page if there is any possibility another user might have injected malicious code.
🧯 If You Can't Patch
- Restrict access to Gokapi to only trusted users who require it.
- Implement network segmentation to isolate Gokapi instances from sensitive systems.
🔍 How to Verify
Check if Vulnerable:
Check Gokapi version - if below 2.0.0 and multiple users have access, the system is vulnerable.Check Version:
Check Gokapi web interface or configuration files for version information.Verify Fix Applied:
Verify Gokapi version is 2.0.0 or higher and test that JavaScript in API key names is properly sanitized.📡 Detection & Monitoring
Log Indicators:
- Unusual API key name modifications containing script tags or JavaScript code
- Multiple failed authentication attempts followed by successful login
Network Indicators:
- Unexpected outbound connections from Gokapi server to external domains
- Suspicious JavaScript payloads in HTTP requests
SIEM Query:
source="gokapi" AND (message="*<script>*" OR message="*javascript:*" OR message="*onerror=*" OR message="*onload=*")