Executive Summary

[{'type': 'paragraph', 'content': "CVE-2025-70963 is a security vulnerability in the Gophish administrative dashboard (version 0.12.1 and earlier) where each user's long-lived API key is exposed directly inside the rendered HTML and JavaScript of the page every time they log in."}, {'type': 'paragraph', 'content': "This means that the API key, which grants privileged access to the application's REST API, is embedded in cleartext within the page source and accessible to any script running in the browser context. This includes potentially malicious scripts from browser extensions, injected code, malware, or cross-site scripting attacks."}, {'type': 'paragraph', 'content': 'Because the API key is long-lived and remains valid independently of the web session, an attacker who can read the page DOM or execute JavaScript in the administrator’s browser can steal the API key and gain permanent administrative access to the application.'}, {'type': 'paragraph', 'content': 'Furthermore, regenerating or rotating the API key does not fix the problem since the new key is also embedded and exposed in the same way upon subsequent logins.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can lead to permanent compromise of your Gophish application because an attacker who can access the administrator’s browser context can steal the long-lived API key.'}, {'type': 'paragraph', 'content': "With the stolen API key, the attacker gains privileged, persistent access to the application's REST API, allowing them to perform administrative actions without needing to log in again."}, {'type': 'paragraph', 'content': 'This persistent access remains even after the administrator logs out or changes their credentials, making it difficult to recover from the breach without manually revoking or rotating keys and changing the application design.'}] [1]

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by inspecting the HTML/JavaScript content of the Gophish administrative dashboard page after login to see if the long-lived API key is embedded directly in the page source.'}, {'type': 'paragraph', 'content': 'You can use browser developer tools to view the page source or DOM and search for the API key within JavaScript objects.'}, {'type': 'paragraph', 'content': 'From a command line perspective, you could use tools like curl or wget to fetch the dashboard page (if authentication is scripted) and then grep or search the output for patterns resembling API keys.'}, {'type': 'list_item', 'content': "curl -s -L -b cookies.txt https://<gophish-dashboard-url>/admin | grep -i 'api_key'"}, {'type': 'list_item', 'content': 'Use browser developer tools (F12) to inspect the page source or console for exposed API keys in JavaScript variables.'}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation is to avoid exposing long-lived API keys in the client-side HTML or JavaScript of the administrative dashboard.

Since regenerating or rotating the API key does not resolve the issue, the best immediate step is to restrict access to the administrative dashboard to trusted environments and users only.

Additionally, consider using short-lived, session-bound tokens for UI operations instead of embedding permanent API keys.

If possible, update or patch Gophish to a version that addresses this vulnerability or apply any recommended configuration changes to prevent API keys from being embedded in the page source.

Useful 0 Not Useful 0