CVE-2025-48495 is a medium-severity cross-site scripting (XSS) vulnerability affecting versions of the Forceu Gokapi self-hosted file sharing server prior to 2.0.0. Gokapi supports automatic expiration and encryption of shared files. The vulnerability arises from improper neutralization of user input during web page generation, specifically when an authenticated user renames the friendly name of an API key. This input is not properly sanitized, allowing injection of malicious JavaScript code into the API key overview page. When another user subsequently accesses their API tab, the injected script executes in their browser context. Prior to version 2.0.0, Gokapi lacked a user permission system, meaning all authenticated users could view and modify all resources, including encrypted files, since the encryption key was shared among all users. This amplifies the risk because any authenticated user could inject malicious scripts that affect all other authenticated users. The vulnerability requires authentication and some user interaction (visiting the API tab). The issue has been addressed in version 2.0.0 by implementing proper input sanitization and a user permission system. Workarounds include avoiding opening the API page if there is suspicion of code injection by other users. The CVSS 4.0 score is 4.8 (medium), reflecting network attack vector, low attack complexity, no privileges required beyond authentication, and user interaction needed. No known exploits are currently reported in the wild.

For European organizations using Gokapi versions prior to 2.0.0, this vulnerability poses a risk of cross-site scripting attacks that could lead to session hijacking, unauthorized actions on behalf of users, or theft of sensitive information accessible via the web interface. Since all authenticated users share access to all resources and the same encryption key, an attacker could leverage this vulnerability to compromise the confidentiality and integrity of shared files. This is particularly concerning for organizations handling sensitive or regulated data, as unauthorized access or data leakage could violate GDPR and other data protection regulations. The requirement for authentication limits exposure to internal or trusted users, but insider threats or compromised accounts could exploit this flaw. The lack of user permission controls in affected versions further exacerbates the risk by broadening the scope of accessible data. The impact on availability is limited, but the potential for lateral movement and data compromise within an organization is significant. European entities relying on self-hosted file sharing solutions like Gokapi should prioritize remediation to maintain compliance and protect sensitive data.

1. Upgrade to Gokapi version 2.0.0 or later, which includes fixes for this vulnerability through input sanitization and the introduction of a user permission system. 2. If immediate upgrade is not feasible, restrict access to the API key management page to trusted users only and avoid opening the API tab if there is suspicion of malicious code injection. 3. Implement network-level access controls and monitoring to detect anomalous behavior from authenticated users. 4. Enforce strong authentication mechanisms and monitor user activity logs for signs of abuse or unauthorized access. 5. Educate users about the risks of interacting with untrusted content within the application. 6. Consider deploying web application firewalls (WAFs) with custom rules to detect and block XSS payloads targeting the API key overview page. 7. Regularly audit and rotate encryption keys and API keys to limit exposure in case of compromise. These steps go beyond generic advice by focusing on the specific context of Gokapi’s architecture and the vulnerability’s exploitation vector.