Vikunja Repeating Task Handler Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Vikunja, a self-hosted task management platform, prior to version 2.3.0. The issue arises in the 'addRepeatIntervalToTime' function, which uses an O(n) loop to advance a date based on the task's 'RepeatAfter' duration. This loop continues until the date exceeds the current time. By creating a repeating task with a 1-second interval and a due date far in the past, an attacker can trigger billions of loop iterations. This excessive processing consumes CPU resources and holds a database connection for several minutes per request, causing a significant slowdown of the application.

Impact

Exploitation of this vulnerability can lead to a severe degradation of application performance, causing the Vikunja instance to become unresponsive. This is achieved by exhausting the database connection pool, which prevents users from accessing the application.

Reproduction

To reproduce this vulnerability, create a repeating task with a 1-second interval and a due date in the distant past, such as January 1, 1900. Once the task is created, mark it as done. This action will trigger the vulnerable loop, causing the application to hang for over 60 seconds while the loop runs approximately 4 billion iterations. During this time, the request occupies a database connection, which can lead to a complete exhaustion of available connections if done concurrently.

Remediation

Users can update to Vikunja version 2.3.0, where this vulnerability has been fixed.