CVE-2025-48494: Gokapi vulnerable to stored XSS via uploading file with malicious file name

June 3, 2025

When using end-to-end encryption, a stored XSS vulnerability can be exploited by uploading a file with JavaScript code embedded in the filename. After upload and every time someone opens the upload list, the script is then parsed.

With the affected versions <v2.0, there was no user permission system implemented, therefore all authenticated users were already able to see and modify all resources, even if end-to-end encrypted, as the encryption key had to be the same for all users with <v2.0. Nethertheless with XSS, other attack vectors like redirection or crypto mining would be possble.

References

github.com/Forceu/Gokapi
github.com/Forceu/Gokapi/commit/343cc566cfd7f4efcd522c92371561d494aed6b0
github.com/Forceu/Gokapi/releases/tag/v2.0.0
github.com/Forceu/Gokapi/security/advisories/GHSA-95rc-wc32-gm53
github.com/advisories/GHSA-95rc-wc32-gm53
nvd.nist.gov/vuln/detail/CVE-2025-48494

Code Behaviors & Features

Detect and mitigate CVE-2025-48494 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →