Vikunja SSRF Vulnerability in Migration Module Allows Internal Resource Access

A server-side request forgery (SSRF) vulnerability has been identified in Vikunja, an open-source task management platform, in versions prior to 2.2.1. The issue arises in the migration helper functions 'DownloadFile' and 'DownloadFileWithHeaders', which make arbitrary HTTP GET requests without proper SSRF protection. During migrations from Todoist or Trello, file attachment URLs from the third-party API are passed directly to these functions. This allows an attacker to manipulate the Vikunja server into fetching internal network resources and returning the data as a downloadable task attachment. The vulnerability exists because the migration HTTP client uses a standard 'http.Client' without URL validation, private IP blocklisting, redirect restrictions, or response size limits.

Impact

Exploitation of this vulnerability allows authenticated attackers to read internal network resources, such as cloud instance metadata and IAM credentials, probe internal services, access trusted internal APIs, and cause a denial-of-service by exhausting server memory with large response bodies.

Reproduction

To reproduce this vulnerability, an authenticated Vikunja user must initiate a migration from Todoist or Trello. The migration process will trigger the vulnerable 'DownloadFile' and 'DownloadFileWithHeaders' functions, which can be exploited by including internal URLs in the file attachment data from Todoist or Trello. Once the migration is complete, the internal data can be accessed through the Vikunja API by downloading the task attachment that was created during the migration.

Remediation

Users can upgrade to Vikunja version 2.2.1 or later, where this vulnerability has been patched. The migration module now uses a centralized SSRF protection layer that filters outgoing HTTP requests, preventing the exploitation of this vulnerability.