CVE-2025-48495: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Forceu Gokapi
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab. Prior to version 2.0.0, there was no user permission system implemented, therefore all authenticated users were already able to see and modify all resources, even if end-to-end encrypted, as the encryption key had to be the same for all users of versions prior to 2.0.0. If a user is the only authenticated user using Gokapi, they are not affected. This issue has been fixed in v2.0.0. A workaround would be to not open the API page if it is possible that another user might have injected code.
AI Analysis
Technical Summary
CVE-2025-48495 is a medium-severity cross-site scripting (XSS) vulnerability affecting versions of the Forceu Gokapi self-hosted file sharing server prior to 2.0.0. Gokapi supports automatic expiration and encryption of shared files. The vulnerability arises from improper neutralization of user input during web page generation, specifically when an authenticated user renames the friendly name of an API key. This input is not properly sanitized, allowing injection of malicious JavaScript code into the API key overview page. When another user subsequently accesses their API tab, the injected script executes in their browser context. Prior to version 2.0.0, Gokapi lacked a user permission system, meaning all authenticated users could view and modify all resources, including encrypted files, since the encryption key was shared among all users. This amplifies the risk because any authenticated user could inject malicious scripts that affect all other authenticated users. The vulnerability requires authentication and some user interaction (visiting the API tab). The issue has been addressed in version 2.0.0 by implementing proper input sanitization and a user permission system. Workarounds include avoiding opening the API page if there is suspicion of code injection by other users. The CVSS 4.0 score is 4.8 (medium), reflecting network attack vector, low attack complexity, no privileges required beyond authentication, and user interaction needed. No known exploits are currently reported in the wild.
Potential Impact
For European organizations using Gokapi versions prior to 2.0.0, this vulnerability poses a risk of cross-site scripting attacks that could lead to session hijacking, unauthorized actions on behalf of users, or theft of sensitive information accessible via the web interface. Since all authenticated users share access to all resources and the same encryption key, an attacker could leverage this vulnerability to compromise the confidentiality and integrity of shared files. This is particularly concerning for organizations handling sensitive or regulated data, as unauthorized access or data leakage could violate GDPR and other data protection regulations. The requirement for authentication limits exposure to internal or trusted users, but insider threats or compromised accounts could exploit this flaw. The lack of user permission controls in affected versions further exacerbates the risk by broadening the scope of accessible data. The impact on availability is limited, but the potential for lateral movement and data compromise within an organization is significant. European entities relying on self-hosted file sharing solutions like Gokapi should prioritize remediation to maintain compliance and protect sensitive data.
Mitigation Recommendations
1. Upgrade to Gokapi version 2.0.0 or later, which includes fixes for this vulnerability through input sanitization and the introduction of a user permission system. 2. If immediate upgrade is not feasible, restrict access to the API key management page to trusted users only and avoid opening the API tab if there is suspicion of malicious code injection. 3. Implement network-level access controls and monitoring to detect anomalous behavior from authenticated users. 4. Enforce strong authentication mechanisms and monitor user activity logs for signs of abuse or unauthorized access. 5. Educate users about the risks of interacting with untrusted content within the application. 6. Consider deploying web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting the API key overview page. 7. Regularly audit and rotate encryption keys and API keys to limit exposure in case of compromise. These steps go beyond generic advice by focusing on the specific context of Gokapi’s architecture and the vulnerability’s exploitation vector.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Belgium, Italy
CVE-2025-48495: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Forceu Gokapi
Description
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab. Prior to version 2.0.0, there was no user permission system implemented, therefore all authenticated users were already able to see and modify all resources, even if end-to-end encrypted, as the encryption key had to be the same for all users of versions prior to 2.0.0. If a user is the only authenticated user using Gokapi, they are not affected. This issue has been fixed in v2.0.0. A workaround would be to not open the API page if it is possible that another user might have injected code.
AI-Powered Analysis
Technical Analysis
CVE-2025-48495 is a medium-severity cross-site scripting (XSS) vulnerability affecting versions of the Forceu Gokapi self-hosted file sharing server prior to 2.0.0. Gokapi supports automatic expiration and encryption of shared files. The vulnerability arises from improper neutralization of user input during web page generation, specifically when an authenticated user renames the friendly name of an API key. This input is not properly sanitized, allowing injection of malicious JavaScript code into the API key overview page. When another user subsequently accesses their API tab, the injected script executes in their browser context. Prior to version 2.0.0, Gokapi lacked a user permission system, meaning all authenticated users could view and modify all resources, including encrypted files, since the encryption key was shared among all users. This amplifies the risk because any authenticated user could inject malicious scripts that affect all other authenticated users. The vulnerability requires authentication and some user interaction (visiting the API tab). The issue has been addressed in version 2.0.0 by implementing proper input sanitization and a user permission system. Workarounds include avoiding opening the API page if there is suspicion of code injection by other users. The CVSS 4.0 score is 4.8 (medium), reflecting network attack vector, low attack complexity, no privileges required beyond authentication, and user interaction needed. No known exploits are currently reported in the wild.
Potential Impact
For European organizations using Gokapi versions prior to 2.0.0, this vulnerability poses a risk of cross-site scripting attacks that could lead to session hijacking, unauthorized actions on behalf of users, or theft of sensitive information accessible via the web interface. Since all authenticated users share access to all resources and the same encryption key, an attacker could leverage this vulnerability to compromise the confidentiality and integrity of shared files. This is particularly concerning for organizations handling sensitive or regulated data, as unauthorized access or data leakage could violate GDPR and other data protection regulations. The requirement for authentication limits exposure to internal or trusted users, but insider threats or compromised accounts could exploit this flaw. The lack of user permission controls in affected versions further exacerbates the risk by broadening the scope of accessible data. The impact on availability is limited, but the potential for lateral movement and data compromise within an organization is significant. European entities relying on self-hosted file sharing solutions like Gokapi should prioritize remediation to maintain compliance and protect sensitive data.
Mitigation Recommendations
1. Upgrade to Gokapi version 2.0.0 or later, which includes fixes for this vulnerability through input sanitization and the introduction of a user permission system. 2. If immediate upgrade is not feasible, restrict access to the API key management page to trusted users only and avoid opening the API tab if there is suspicion of malicious code injection. 3. Implement network-level access controls and monitoring to detect anomalous behavior from authenticated users. 4. Enforce strong authentication mechanisms and monitor user activity logs for signs of abuse or unauthorized access. 5. Educate users about the risks of interacting with untrusted content within the application. 6. Consider deploying web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting the API key overview page. 7. Regularly audit and rotate encryption keys and API keys to limit exposure in case of compromise. These steps go beyond generic advice by focusing on the specific context of Gokapi’s architecture and the vulnerability’s exploitation vector.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2025-05-22T12:11:39.122Z
- Cvss Version
- 4.0
- State
- PUBLISHED
Threat ID: 683d9584182aa0cae242f8b8
Added to database: 6/2/2025, 12:13:56 PM
Last enriched: 7/11/2025, 8:01:40 AM
Last updated: 8/16/2025, 5:27:51 AM
Views: 18
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.