GHSA-qwc6-vc2v-2ggj

Suggest an improvement
Source
https://github.com/advisories/GHSA-qwc6-vc2v-2ggj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-qwc6-vc2v-2ggj/GHSA-qwc6-vc2v-2ggj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qwc6-vc2v-2ggj
Aliases
Published
2026-03-13T18:56:46Z
Modified
2026-03-24T21:16:37.919477Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Gokapi vulnerable to DoS in E2E Metadata Parser
Details

Summary

An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users.

Impact

Any authenticated user can crash the Gokapi server by sending concurrent large payloads.

Database specific 
{
    "nvd_published_at": "2026-03-13T19:54:35Z",
    "github_reviewed_at": "2026-03-13T18:56:46Z",
    "cwe_ids": [
        "CWE-400"
    ],
    "severity": "MODERATE",
    "github_reviewed": true
}
References

Affected packages

Go / github.com/forceu/gokapi

Package

Name
github.com/forceu/gokapi
View open source insights on deps.dev
Purl
pkg:golang/github.com/forceu/gokapi

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.4

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-qwc6-vc2v-2ggj/GHSA-qwc6-vc2v-2ggj.json"
last_known_affected_version_range 
"<= 2.2.3"