Description

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab. Prior to version 2.0.0, there was no user permission system implemented, therefore all authenticated users were already able to see and modify all resources, even if end-to-end encrypted, as the encryption key had to be the same for all users of versions prior to 2.0.0. If a user is the only authenticated user using Gokapi, they are not affected. This issue has been fixed in v2.0.0. A workaround would be to not open the API page if it is possible that another user might have injected code.

INFO

Published Date :

2025-06-02T11:08:07.017Z

Last Modified :

2025-06-02T16:51:10.394Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-48495 vulnerability.

Vendors Products
Forceu
  • Gokapi
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-48495.

URL Resource
https://github.com/Forceu/Gokapi/commit/65ddbc68fbfdf1c80cadb477f4bcbb7f2c4fdbf8 cve-icon cve-icon
https://github.com/Forceu/Gokapi/security/advisories/GHSA-4xg4-54hm-9j77 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability
Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact