Forceu

**Name of the Vulnerable Software and Affected Versions** Gokapi versions prior to 2.2.4 **Description** Gokapi is a self-hosted file sharing server that supports automatic expiration and encryption. An API endpoint is susceptible to accepting request bodies of unlimited size. An authenticated user can exploit this to cause an Out-Of-Memory (OOM) kill, leading to a complete service disruption for all users. The issue impacts the server's stability and availability. The affected API endpoint accepts unbounded request bodies. The `request body` is the vulnerable parameter. **Recommendations** Update to version 2.2.4 or later.

**Name of the Vulnerable Software and Affected Versions** Gokapi versions prior to 2.2.3 **Description** Gokapi is a self-hosted file sharing server that supports automatic expiration and encryption. A registered user lacking the necessary permissions to create or modify file requests can generate a short-lived API key granting them those permissions. This issue impacts systems where no other users have access to the admin/upload menu. The API key allows unauthorized creation or modification of file requests. **Recommendations** Update to version 2.2.3 or later.

**Name of the Vulnerable Software and Affected Versions** Gokapi versions prior to 2.0.0 **Description** Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. The issue allows an authenticated user to inject JS into the API key overview by renaming the friendly name of an API key. This injected JS would be executed when another user clicks on the API tab. Prior to version 2.0.0, all authenticated users could see and modify all resources due to the lack of a user permission system, and the encryption key had to be the same for all users. **Recommendations** For versions prior to 2.0.0, update to version 2.0.0 to resolve the issue. As a temporary workaround, consider not opening the API page if it is possible that another user might have injected code.