Vikunja Rate Limit Bypass Vulnerability for Unauthenticated Users via Spoofed Headers

A vulnerability in Vikunja, an open-source task management platform, allows unauthenticated users to bypass rate limits by spoofing the 'X-Forwarded-For' or 'X-Real-IP' headers. This issue affects Vikunja versions 0.8 through 2.2.0, with the rate limit bypassing relying on the application's use of these headers to determine real IP addresses. Unauthenticated users can exploit this to send unlimited requests to unauthenticated endpoints, potentially leading to brute-force attacks on usernames or passwords.

Impact

Exploitation of this vulnerability allows unauthenticated users to send unlimited requests to unauthenticated endpoints, bypassing any rate limits in place. This could be abused to brute-force usernames or passwords.

Reproduction

To reproduce this vulnerability, download and run Vikunja version 0.8 or any version prior to 2.2.0 using the default Docker Compose file. Do not configure a reverse proxy. Once the application is running, use a web proxy like Burp Suite to intercept requests. Attempt to log in with an invalid username and password to trigger the rate limit on the '/api/v1/login' endpoint. After the rate limit is reached, spoof the 'X-Forwarded-For' header with a fake value and send the request again. The rate limit will reset, allowing more attempts.

Remediation

Users can upgrade to Vikunja version 2.2.0, which addresses this vulnerability by introducing configuration options to control how the client IP is determined, effectively preventing the rate limit bypass.