Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the migration helper functions DownloadFile and DownloadFileWithHeaders in pkg/modules/migration/helpers.go make arbitrary HTTP GET requests without any SSRF protection. When a user triggers a Todoist or Trello migration, file attachment URLs from the third-party API response are passed directly to these functions, allowing an attacker to force the Vikunja server to fetch internal network resources and return the response as a downloadable task attachment. Version 2.2.1 patches the issue.
AnalysisAI
Vikunja prior to version 2.2.1 contains a Server-Side Request Forgery (SSRF) vulnerability in its migration helper functions that lack HTTP request validation. An authenticated attacker can exploit this by triggering a Todoist or Trello migration, which causes the Vikunja server to fetch arbitrary URLs specified in attachment metadata from third-party APIs, potentially exposing internal network resources and returning their contents as task attachments. The vulnerability requires low privilege (authenticated user) and carries a CVSS score of 6.4 with moderate confidentiality and availability impact across network boundaries.
Technical ContextAI
The vulnerability exists in the migration module of Vikunja (cpe:2.3:a:go-vikunja:vikunja), specifically in the functions DownloadFile and DownloadFileWithHeaders located in pkg/modules/migration/helpers.go. These functions perform unconstrained HTTP GET requests without SSRF protection mechanisms such as URL validation, private IP range filtering, or DNS rebinding defenses. When users import tasks from third-party platforms like Todoist or Trello via Vikunja's migration feature, the attachment URLs returned by those APIs are passed directly to these download functions without sanitization. This represents a classic CWE-918 (Server-Side Request Forgery) vulnerability where user-controlled or attacker-influenced input (the attachment URLs) is used to construct server-initiated network requests, allowing the attacker to probe internal network topology, access internal services, or retrieve sensitive data from localhost or private IP ranges.
RemediationAI
Upgrade Vikunja to version 2.2.1 or later immediately, as this version includes SSRF protections in the migration helper functions. The patch is available in the upstream repository at https://github.com/go-vikunja/vikunja/commit/93297742236e3d33af72c993e5da960db01d259e. Until patching is completed, restrict migration functionality to trusted administrator accounts only by enforcing role-based access controls on the Todoist and Trello migration features. Additionally, implement network segmentation to prevent the Vikunja server from reaching internal services—use egress firewall rules to block outbound connections to private IP ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 127.0.0.1/8, 169.254.0.0/16) and to local metadata services.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14916