CVE-2025-48495: 
vulnerability analysis and mitigation

Gokapi, a self-hosted file sharing server with automatic expiration and encryption support, was found to contain a stored Cross-Site Scripting (XSS) vulnerability (CVE-2025-48495). By renaming the friendly name of an API key, an authenticated user could inject JavaScript into the API key overview, which would be executed when another user clicks on their API tab. This vulnerability affected versions prior to 2.0.0, where no user permission system was implemented, allowing all authenticated users to see and modify all resources (NVD).

The vulnerability stems from improper neutralization of input during web page generation, specifically in the API key friendly name handling. The issue was classified with CWE-87 (Improper Neutralization of Alternate XSS Syntax) and CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v4.0 score was rated as 4.8 MEDIUM with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L (NVD).

The vulnerability allowed authenticated users to inject malicious JavaScript code that would execute when other users accessed the API tab. Since versions prior to 2.0.0 had no user permission system, all authenticated users could see and modify all resources, even if end-to-end encrypted, as the encryption key had to be the same for all users (NVD).

The vulnerability has been fixed in version 2.0.0. For users unable to update immediately, a workaround is to avoid opening the API page if there's a possibility that another user might have injected code. The fix involved proper input sanitization and the implementation of a user permission system (NVD, GitHub Commit).