Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.1, the DownloadImage function in pkg/utils/avatar.go uses a bare http.Client{} with no SSRF protection when downloading user avatar images from the OpenID Connect picture claim URL. An attacker who controls their OIDC profile picture URL can force the Vikunja server to make HTTP GET requests to arbitrary internal or cloud metadata endpoints. This bypasses the SSRF protections that are correctly applied to the webhook system. Version 2.2.1 patches the issue.
AnalysisAI
Vikunja versions prior to 2.2.1 contain a Server-Side Request Forgery (SSRF) vulnerability in the avatar image download functionality that fails to implement proper protections when fetching user profile pictures from OpenID Connect provider URLs. An authenticated attacker can exploit this by controlling their OIDC profile picture URL to force the Vikunja server to make arbitrary HTTP GET requests to internal networks or cloud metadata endpoints, potentially disclosing sensitive information. The vulnerability has a CVSS score of 6.4 (medium severity) and is patched in version 2.2.1.
Technical ContextAI
The vulnerability exists in the DownloadImage function within pkg/utils/avatar.go of the Vikunja task management platform (identified by CPE cpe:2.3:a:go-vikunja:vikunja). The root cause is classified under CWE-918 (Server-Side Request Forgery), which occurs when an application fetches remote resources based on user-controlled input without proper validation. Specifically, when processing the picture claim from OpenID Connect provider responses, the code instantiates a bare http.Client{} without implementing SSRF protections such as URL scheme validation, private IP range blocking, or DNS resolution filtering. This contrasts sharply with the webhook system in the same codebase, which correctly implements such protections, indicating this is a consistency/oversight issue rather than a systemic design flaw. The attacker-controlled URL can target internal services (e.g., internal APIs on RFC1918 addresses) or cloud provider metadata endpoints (e.g., AWS EC2 metadata service at 169.254.169.254), creating information disclosure risk.
RemediationAI
Upgrade Vikunja to version 2.2.1 or later, which includes the patched DownloadImage function with proper SSRF protections. The official vendor security advisory is available at https://github.com/go-vikunja/vikunja/security/advisories/GHSA-g9xj-752q-xh63 and the fix can be reviewed at https://github.com/go-vikunja/vikunja/commit/363aa6642352b08fc8bc6aaff2f3a550393af1cf. For deployments where immediate patching is not feasible, implement network segmentation to restrict the Vikunja server's outbound HTTP/HTTPS access to only trusted OIDC provider domains and their CDNs, and disable or restrict OIDC authentication if it is not essential. Additionally, configure firewall rules to prevent access from the Vikunja server to internal metadata endpoints (169.254.169.254 for AWS) and RFC1918 address ranges.
Same weakness CWE-918 – Server-Side Request Forgery (SSRF)
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Leap 15.6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| openSUSE Leap 15.5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14923