CVE-2025-48495: Gokapi has stored XSS vulnerability in friendly name for API keys

June 3, 2025 (updated August 26, 2025)

By renaming the friendly name of an API key, an authenticated user could inject JS into the API key overview, which would also be executed when another user clicks on his API tab. With the affected versions <v2.0, there was no user permission system implemented, therefore all authenticated users were already able to see and modify all resources, even if end-to-end encrypted, as the encryption key had to be the same for all users with <v2.0. Nethertheless with XSS, other attack vectors like redirection or crypto mining would be possble.

References

github.com/Forceu/Gokapi
github.com/Forceu/Gokapi/commit/65ddbc68fbfdf1c80cadb477f4bcbb7f2c4fdbf8
github.com/Forceu/Gokapi/security/advisories/GHSA-4xg4-54hm-9j77
github.com/advisories/GHSA-4xg4-54hm-9j77
nvd.nist.gov/vuln/detail/CVE-2025-48495
pkg.go.dev/vuln/GO-2025-3736

Code Behaviors & Features

Detect and mitigate CVE-2025-48495 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →