Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users.
Impact
Any authenticated user can crash the Gokapi server by sending concurrent large payloads.
AnalysisAI
Denial-of-service vulnerability in Gokapi, a file-sharing server, wherein an authenticated attacker can send unbounded request bodies to an API endpoint without size restrictions, causing out-of-memory (OOM) conditions that crash the service and deny access to all users. The vulnerability requires valid authentication credentials but no special privileges, and is classified as high-severity (CVSS 6.5) due to guaranteed availability impact. Patch availability exists in version 2.2.4 and later.
Technical ContextAI
The vulnerability affects the Go package github.com/Forceu/Gokapi (identified via CPE: pkg:go/github.com_forceu_gokapi), a file-sharing and temporary file hosting service written in Go. The root cause is classified under CWE-400 (Uncontrolled Resource Consumption / Denial of Service), specifically the absence of request body size limits on one or more API endpoints. When processing HTTP requests, the affected endpoint(s) lack MaxRequestBodySize or similar protections that would constrain memory allocation. An authenticated client sending large payloads triggers unbound memory allocation in the Go HTTP server, leading to OOM kill by the OS and complete service termination. This is a classic resource exhaustion flaw in HTTP API design.
RemediationAI
Upgrade Gokapi to version 2.2.4 or newer. Release is available at https://github.com/Forceu/Gokapi/releases/tag/v2.2.4; priority: High Workaround (Interim): If immediate patching is not feasible, implement reverse proxy or load balancer limits (nginx, HAProxy, etc.) to enforce maximum request body sizes on all endpoints (recommend 10-100 MB depending on use case). Example nginx: 'client_max_body_size 50M;'; priority: Medium Defense-in-Depth: Restrict API access via firewall/WAF to trusted networks or IP ranges. Limit concurrent connections per authenticated user. Monitor process memory usage and set OS-level ulimits.; priority: Medium
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: MediumShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-12077
GHSA-qwc6-vc2v-2ggj