Vikunja Unauthenticated Denial-of-Service Vulnerability via Unbounded Image Processing

A denial-of-service vulnerability has been identified in Vikunja, an open-source task management platform, affecting versions 1.0.0-rc0 prior to 2.2.0. The issue arises from unbounded image decoding and resizing during the generation of previews, allowing an attacker to exhaust CPU and memory resources. This can be achieved by uploading highly compressed but extremely large-dimension images. The vulnerability can be exploited by any authenticated user with write access to a task, once task attachments are enabled.

Impact

Exploitation of this vulnerability can lead to significant CPU and memory exhaustion on the server, causing degradation or crashes of the Vikunja API.

Reproduction

The vulnerability can be reproduced by uploading a 10,000x10,000 pixel PNG image, which, despite being only 284 KB in file size, expands to approximately 100 million pixels in memory during decoding. This initial preview request consumes considerable CPU resources for resizing. Subsequent requests for the same attachment are faster due to caching, but the vulnerability can be exploited again by uploading additional large images or through concurrent requests.

Remediation

Users are advised to update Vikunja to version 2.2.0 or later, where this vulnerability has been patched.