CVE-2025-70963
📋 TL;DR
Gophish versions up to 0.12.1 expose users' long-lived API keys in the HTML/JavaScript of the administrative dashboard on every login. This allows any script running in the browser context to steal these permanent credentials. All Gophish administrators using vulnerable versions are affected.
💻 Affected Systems
- Gophish
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers can steal API keys and gain full administrative access to the Gophish instance, allowing them to create phishing campaigns, access sensitive data, and potentially pivot to other systems.
Likely Case
Malicious browser extensions or XSS attacks could harvest API keys, leading to unauthorized access to the phishing simulation platform.
If Mitigated
With proper network segmentation and browser security controls, the risk is limited to authenticated sessions only.
🎯 Exploit Status
Exploitation requires access to the browser session (via malicious extensions, XSS, or other browser-based attacks). The API keys are directly visible in page source.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.13.0 or later
Vendor Advisory: https://github.com/gophish/gophish/issues/9366
Restart Required: Yes
Instructions:
1. Backup your Gophish configuration and database. 2. Download Gophish 0.13.0 or later from the official repository. 3. Replace the existing binary with the new version. 4. Restart the Gophish service.
🔧 Temporary Workarounds
Disable API Key Exposure via Browser Script
allManually modify the dashboard code to remove API key exposure in HTML/JavaScript (temporary workaround).
# This requires modifying the Gophish source code and recompiling
# Not recommended for production - upgrade to 0.13.0 instead
🧯 If You Can't Patch
- Restrict access to the Gophish dashboard to trusted networks only using firewall rules.
- Use browser extensions that block JavaScript execution or implement Content Security Policy (CSP) headers.
🔍 How to Verify
Check if Vulnerable:
Login to Gophish dashboard, view page source (Ctrl+U), search for 'api_key' - if visible in HTML/JavaScript, you are vulnerable.Check Version:
./gophish --versionVerify Fix Applied:
After upgrading to 0.13.0+, check page source again - API keys should no longer be exposed in the HTML/JavaScript.📡 Detection & Monitoring
Log Indicators:
- Unusual API usage patterns from new IP addresses
- Multiple failed login attempts followed by successful API calls
Network Indicators:
- API requests from unexpected user agents or locations
- Sudden increase in API request volume
SIEM Query:
source="gophish" AND (event_type="api_call" AND src_ip NOT IN [trusted_ips])