CVE-2025-48494: 
vulnerability analysis and mitigation

Gokapi, a self-hosted file sharing server with automatic expiration and encryption support, was found to contain a stored cross-site scripting (XSS) vulnerability identified as CVE-2025-48494. The vulnerability was discovered and disclosed in June 2025, affecting versions prior to 2.0.0. The vulnerability specifically impacts the file upload mechanism when end-to-end encryption is enabled (GitHub Advisory, NVD).

The vulnerability exists in the file upload mechanism when end-to-end encryption is enabled. The issue stems from improper sanitization of filenames, allowing JavaScript code embedded in filenames to be executed whenever someone opens the upload list. The vulnerability has been assigned a CVSS v4.0 score of 4.8 (MEDIUM) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L (Wiz).

The vulnerability allows authenticated users to execute arbitrary JavaScript code when other users view the upload list. If multiple users are using the system, this could lead to potential data theft, session hijacking, or other malicious actions. However, single-user installations are not affected by this vulnerability as there are no other users to target (Wiz).

The vulnerability has been fixed in Gokapi version 2.0.0. Users are strongly recommended to upgrade to this version to address the security issue. For those unable to upgrade immediately, a possible workaround is to disable end-to-end encryption. The fix involves proper input sanitization and the implementation of a new user permission system (GitHub Release).