CVE-2025-48494: 
vulnerability analysis and mitigation

Gokapi, a self-hosted file sharing server with automatic expiration and encryption support, was found to contain a stored cross-site scripting (XSS) vulnerability affecting versions prior to 2.0.0. The vulnerability was discovered and disclosed in June 2025, identified as CVE-2025-48494. The vulnerability specifically affects the file upload functionality when using end-to-end encryption (GitHub Advisory, NVD).

The vulnerability exists in the file upload mechanism when end-to-end encryption is enabled. An attacker can exploit this by uploading a file with JavaScript code embedded in the filename. The malicious script is then parsed and executed every time someone opens the upload list. The vulnerability is particularly concerning because prior to version 2.0.0, there was no user permission system implemented, meaning all authenticated users could see and modify all resources, even if end-to-end encrypted, as the encryption key had to be the same for all users (GitHub Release).

The vulnerability allows authenticated users to execute arbitrary JavaScript code with passive interaction from other users viewing the upload list. If multiple users are using the system, this could lead to potential data theft, session hijacking, or other malicious actions. However, single-user installations are not affected by this vulnerability (GitHub Release).

The vulnerability has been fixed in Gokapi version 2.0.0. Users are strongly recommended to upgrade to this version to address the security issue. For those unable to upgrade immediately, a possible workaround is to disable end-to-end encryption. The fix involves proper input sanitization and the implementation of a new user permission system (GitHub Release).