Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
Gokapi API crashes when sent large requests
GHSA-qwc6-vc2v-2ggj
CVE-2026-30955
GHSA-qwc6-vc2v-2ggj
Summary
Gokapi's API endpoint doesn't limit request size, allowing a malicious user to send large requests and crash the service, disrupting access for all users. This can be exploited by anyone with an account. To protect against this, consider setting a size limit on API requests or implementing rate limiting.
What to do
- Update github.com forceu to version 2.2.4.
- Update forceu github.com/forceu/gokapi to version 2.2.4.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| github.com | forceu | <= 2.2.3 | 2.2.4 |
| forceu | github.com/forceu/gokapi | <= 2.2.4 | 2.2.4 |
Original title
Gokapi vulnerable to DoS in E2E Metadata Parser
Original description
### Summary
An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users.
### Impact
Any authenticated user can crash the Gokapi server by sending concurrent large payloads.
An API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users.
### Impact
Any authenticated user can crash the Gokapi server by sending concurrent large payloads.
ghsa CVSS3.1
6.5
Vulnerability type
CWE-400
Uncontrolled Resource Consumption
Published: 13 Mar 2026 · Updated: 14 Mar 2026 · First seen: 13 Mar 2026