GHSA-45vh-rpc8-hxpp
Suggest an improvement- Source
- https://github.com/advisories/GHSA-45vh-rpc8-hxpp
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-45vh-rpc8-hxpp/GHSA-45vh-rpc8-hxpp.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-45vh-rpc8-hxpp
- Aliases
- Published
- 2026-03-13T18:56:51Z
- Modified
- 2026-03-16T17:16:23.368389Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L CVSS Calculator
- Summary
- Gokapi's File Request MaxSize Limit Bypassed via Multi-Chunk Upload
- Details
-
Summary
The chunked upload completion path for file requests does not validate the total file size against the per-request
MaxSizelimit. An attacker with a public file request link can split an oversized file into chunks each underMaxSizeand upload them sequentially, bypassing the size restriction entirely. Files up to the server's globalMaxFileSizeMBare accepted regardless of the file request's configured limit.Impact
Any guest with access to a shared file request link can upload files far larger than the administrator-configured size limit, up to the server's global
MaxFileSizeMB. This allows unauthorized storage consumption, circumvention of administrative resource policies, and potential service disruption through storage exhaustion. No data exposure or privilege escalation occurs. - Database specific
{ "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-20", "CWE-770" ], "github_reviewed_at": "2026-03-13T18:56:51Z", "nvd_published_at": "2026-03-13T19:54:35Z" }- References
Affected packages
Go / github.com/forceu/gokapi
Package
- Name
- github.com/forceu/gokapi
- View open source insights on deps.dev
- Purl
- pkg:golang/github.com/forceu/gokapi