CVE-2025-70963 Overview
CVE-2025-70963 is an Incorrect Access Control vulnerability affecting Gophish versions 0.12.1 and earlier. The administrative dashboard exposes each user's long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This design flaw makes permanent API credentials accessible to any script running in the browser context, creating significant security risks for organizations using Gophish for phishing awareness campaigns.
Critical Impact
Long-lived API credentials are exposed in browser context, allowing malicious scripts or browser extensions to harvest API keys and gain unauthorized access to Gophish campaigns, sensitive phishing simulation data, and user information.
Affected Products
- Gophish versions 0.12.1 and earlier
- getgophish gophish (all versions up to and including 0.12.1)
Discovery Timeline
- 2026-02-06 - CVE-2025-70963 published to NVD
- 2026-02-10 - Last updated in NVD database
Technical Details for CVE-2025-70963
Vulnerability Analysis
This vulnerability stems from an insecure design pattern where sensitive API credentials are embedded directly into the client-side code. When users log into the Gophish administrative dashboard, the application renders their long-lived API key within the HTML or JavaScript of the page. This information disclosure vulnerability (CWE-200) creates an attack surface where any script executing in the browser context—whether from a legitimate browser extension, a compromised third-party script, or a cross-site scripting attack—can extract these credentials.
The exposed API keys provide persistent access to the Gophish instance, allowing attackers to manage phishing campaigns, access simulation results, export user data, and potentially compromise the integrity of security awareness programs.
Root Cause
The root cause is improper handling of sensitive credentials in the client-side rendering process. Rather than keeping API keys server-side or implementing secure token exchange mechanisms, the application embeds long-lived credentials directly in the DOM or JavaScript variables accessible to any browser-context script. This violates the principle of least privilege and exposes sensitive authentication material unnecessarily.
Attack Vector
The attack vector is network-based and requires low privileges (authenticated user) with some user interaction (logging into the dashboard). An attacker could exploit this vulnerability through several scenarios:
Malicious Browser Extensions: A compromised or malicious browser extension could scrape the rendered page content to harvest API keys from authenticated sessions.
Cross-Site Scripting (XSS): If any XSS vulnerability exists in the application or is introduced through third-party scripts, attackers could inject code to exfiltrate the embedded API keys.
Supply Chain Attacks: Compromised third-party JavaScript libraries loaded by the dashboard could silently collect exposed credentials.
Once obtained, the API key provides persistent, unauthorized access to the Gophish instance without requiring additional authentication, as these are long-lived credentials that do not expire with the browser session.
Detection Methods for CVE-2025-70963
Indicators of Compromise
- Unexpected API requests originating from IP addresses or user agents not associated with legitimate administrators
- Multiple concurrent API sessions using the same API key from different geographic locations
- Anomalous API activity patterns such as bulk data exports or campaign modifications outside normal business hours
- Audit log entries showing API key usage immediately following user login events from untrusted sources
Detection Strategies
- Implement monitoring for API key usage patterns and alert on deviations from baseline behavior
- Review browser extension permissions for users accessing the Gophish dashboard and restrict installations to vetted extensions only
- Deploy Content Security Policy (CSP) headers to limit script execution sources and reduce XSS attack surface
- Enable comprehensive API access logging and correlate with user session data to identify potential credential theft
Monitoring Recommendations
- Configure alerts for API access from new or unusual IP addresses or geographic locations
- Monitor for high-volume API requests that may indicate automated credential abuse
- Implement session correlation to track API key usage against authenticated user sessions
- Review audit logs regularly for unauthorized campaign modifications or data exports
How to Mitigate CVE-2025-70963
Immediate Actions Required
- Rotate all existing API keys for Gophish users to invalidate any potentially compromised credentials
- Restrict dashboard access to trusted networks using firewall rules or VPN requirements
- Audit recent API activity logs for signs of unauthorized access or data exfiltration
- Limit browser extension usage on systems accessing the Gophish administrative interface
Patch Information
At the time of publication, users should monitor the GitHub Gophish issue tracker for updates on patches addressing this vulnerability. Organizations should upgrade to a patched version as soon as one becomes available. In the meantime, implement the recommended workarounds to reduce exposure.
Workarounds
- Implement network segmentation to restrict Gophish dashboard access to dedicated administrative workstations with hardened browser configurations
- Configure API key rotation policies to minimize the impact window of any compromised credentials
- Use browser profiles or containers specifically for Gophish administration with minimal extensions installed
- Consider implementing additional authentication layers such as IP allowlisting for API access
- Deploy a Web Application Firewall (WAF) to add an additional layer of protection against script injection attacks
# Example: Restrict Gophish dashboard access by IP using iptables
# Allow only trusted admin network (replace with your network)
iptables -A INPUT -p tcp --dport 3333 -s 10.0.0.0/24 -j ACCEPT
iptables -A INPUT -p tcp --dport 3333 -j DROP
# Example: Configure nginx reverse proxy with IP restriction
# location /admin {
# allow 10.0.0.0/24;
# deny all;
# proxy_pass http://localhost:3333;
# }
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
