Skip to main content

Suse CVE-2026-30955

| EUVDEUVD-2026-12077 MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2026-03-13 https://github.com/Forceu/Gokapi GHSA-qwc6-vc2v-2ggj
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 13, 2026 - 19:00 euvd
EUVD-2026-12077
Analysis Generated
Mar 13, 2026 - 19:00 vuln.today
CVE Published
Mar 13, 2026 - 18:56 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Summary

An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users.

Impact

Any authenticated user can crash the Gokapi server by sending concurrent large payloads.

AnalysisAI

Denial-of-service vulnerability in Gokapi, a file-sharing server, wherein an authenticated attacker can send unbounded request bodies to an API endpoint without size restrictions, causing out-of-memory (OOM) conditions that crash the service and deny access to all users. The vulnerability requires valid authentication credentials but no special privileges, and is classified as high-severity (CVSS 6.5) due to guaranteed availability impact. Patch availability exists in version 2.2.4 and later.

Technical ContextAI

The vulnerability affects the Go package github.com/Forceu/Gokapi (identified via CPE: pkg:go/github.com_forceu_gokapi), a file-sharing and temporary file hosting service written in Go. The root cause is classified under CWE-400 (Uncontrolled Resource Consumption / Denial of Service), specifically the absence of request body size limits on one or more API endpoints. When processing HTTP requests, the affected endpoint(s) lack MaxRequestBodySize or similar protections that would constrain memory allocation. An authenticated client sending large payloads triggers unbound memory allocation in the Go HTTP server, leading to OOM kill by the OS and complete service termination. This is a classic resource exhaustion flaw in HTTP API design.

RemediationAI

Upgrade Gokapi to version 2.2.4 or newer. Release is available at https://github.com/Forceu/Gokapi/releases/tag/v2.2.4; priority: High Workaround (Interim): If immediate patching is not feasible, implement reverse proxy or load balancer limits (nginx, HAProxy, etc.) to enforce maximum request body sizes on all endpoints (recommend 10-100 MB depending on use case). Example nginx: 'client_max_body_size 50M;'; priority: Medium Defense-in-Depth: Restrict API access via firewall/WAF to trusted networks or IP ranges. Limit concurrent connections per authenticated user. Monitor process memory usage and set OS-level ulimits.; priority: Medium

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-30955 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy