CVE-2025-48494: Gokapi vulnerable to stored XSS via uploading file with malicious file name
(updated )
When using end-to-end encryption, a stored XSS vulnerability can be exploited by uploading a file with JavaScript code embedded in the filename. After upload and every time someone opens the upload list, the script is then parsed.
With the affected versions <v2.0, there was no user permission system implemented, therefore all authenticated users were already able to see and modify all resources, even if end-to-end encrypted, as the encryption key had to be the same for all users with <v2.0. Nethertheless with XSS, other attack vectors like redirection or crypto mining would be possble.
References
- github.com/Forceu/Gokapi
- github.com/Forceu/Gokapi/commit/343cc566cfd7f4efcd522c92371561d494aed6b0
- github.com/Forceu/Gokapi/releases/tag/v2.0.0
- github.com/Forceu/Gokapi/security/advisories/GHSA-95rc-wc32-gm53
- github.com/advisories/GHSA-95rc-wc32-gm53
- nvd.nist.gov/vuln/detail/CVE-2025-48494
- pkg.go.dev/vuln/GO-2025-3737
Code Behaviors & Features
Detect and mitigate CVE-2025-48494 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →