CVE-2026-30955
Received Received - Intake
Unrestricted Request Size in Gokapi API Causes DoS

Publication date: 2026-03-13

Last updated on: 2026-03-17

Assigner: GitHub, Inc.

Description
Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. Prior to 2.2.4, An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users. This vulnerability is fixed in 2.2.4.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-13
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-13
EPSS Evaluated
2026-06-15
NVD
CVE-2026-30955
EUVD
EUVD-2026-12077
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
forceu gokapi to 2.2.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-30955 is a Denial of Service (DoS) vulnerability in the Gokapi file sharing server up to version 2.2.3. The issue occurs because an API endpoint accepts request bodies without any size limit. An authenticated user can exploit this by sending multiple large requests concurrently, which causes uncontrolled consumption of system memory.

This uncontrolled resource consumption leads to an out-of-memory (OOM) kill, crashing the server and causing complete service disruption for all users.

The vulnerability is fixed in version 2.2.4.

Impact Analysis

This vulnerability can cause a complete denial of service on the Gokapi server by allowing an authenticated user to crash the service through excessive memory consumption.

  • Service disruption for all users due to server crash.
  • Potential loss of availability of file sharing services hosted on the affected server.
  • Requires only low privileges (authenticated user) and no user interaction, making it relatively easy to exploit.
Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for unusually large or numerous concurrent API request bodies sent by authenticated users to the Gokapi server. Since the issue involves unbounded request sizes causing resource exhaustion, network traffic analysis focusing on large payloads to the API endpoint is key.'}, {'type': 'paragraph', 'content': 'You can use network monitoring tools or commands to identify large HTTP POST requests to the Gokapi API endpoints. For example, using tcpdump or tshark to capture and filter large HTTP requests:'}, {'type': 'list_item', 'content': "tcpdump -i <interface> -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) > 1000)'"}, {'type': 'list_item', 'content': 'tshark -i <interface> -Y \'http.request.method == "POST" and frame.len > 1000\' -T fields -e ip.src -e http.request.uri -e frame.len'}, {'type': 'paragraph', 'content': 'Additionally, monitoring system logs and resource usage for signs of out-of-memory (OOM) kills or service crashes related to the Gokapi process can help detect exploitation attempts.'}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The immediate and recommended mitigation is to upgrade the Gokapi server to version 2.2.4 or later, where this vulnerability has been fixed.'}, {'type': 'paragraph', 'content': "Until the upgrade can be performed, you should restrict or monitor authenticated users' ability to send large or multiple concurrent requests to the API endpoint to prevent resource exhaustion."}, {'type': 'paragraph', 'content': 'Implementing rate limiting, request size limits, or firewall rules to block unusually large payloads can help reduce the risk of exploitation.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-30955. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart