Listen to this Post
How the CVE Works
Gokapi versions 1.0.1 to 1.9.6 are vulnerable to stored Cross-Site Scripting (XSS) via malicious file names during uploads. When end-to-end encryption is enabled, JavaScript code embedded in a file’s filename gets executed whenever the upload list is viewed. The application fails to sanitize filenames before rendering them in the browser DOM. This allows authenticated attackers to inject persistent malicious scripts affecting all users who access the file listing page. In pre-v2.0 versions, the shared encryption key architecture amplified the impact, as all authenticated users could access encrypted resources. The XSS payload could facilitate session hijacking, crypto mining, or phishing redirections.
DailyCVE Form
Platform: Gokapi
Version: 1.0.1-1.9.6
Vulnerability: Stored XSS
Severity: Critical
Date: 2025-06-03
Prediction: Patch released (v2.0.0)
What Undercode Say:
Analytics
- Attack Vector: Web
- Complexity: Low
- Privileges Required: Low (Authenticated)
- User Interaction: Required (View file list)
- Scope: Changed (via shared encryption)
Exploit Commands
curl -X POST -F "[email protected];filename=<script>alert(1)</script>.pdf" http://gokapi/upload
fetch('/upload', {
method: 'POST',
body: new FormData().append('file', new Blob(), '"><img src=x onerror=stealCookies()>.png')
});
Protection
add_header Content-Security-Policy "default-src 'self'";
func sanitizeFilename(name string) string {
return strings.ReplaceAll(name, "<", "").Replace(">", "")
}
Detection
grep -r "filename=" /var/www/gokapi/templates/
SELECT FROM uploads WHERE filename LIKE "%<%";
Mitigation
1. Upgrade to v2.0.0
2. Disable end-to-end encryption
3. Implement CSP headers
4. Sanitize filenames server-side
5. Restrict upload permissions
References
- GitHub Advisory: GHSA-xxxx-xxxx-xxxx
- NVD: CVE-2025-XXXXX
- Patch Commit: 343cc566cfd7
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
