Vikunja is an open-source, self-hosted task management platform. In versions prior to 2.0.0, the restoreConfig function in the dump module (vikunja/pkg/modules/dump/restore.go) is vulnerable to a path traversal attack due to improper validation of file paths extracted from ZIP archives. The function directly uses the Name attribute from the zip.File struct in os.OpenFile calls without sanitizing or restricting the file paths to the intended extraction directory. This flaw allows an attacker to craft a malicious ZIP archive with file paths containing traversal sequences (e.g., ../) that escape the target directory and overwrite arbitrary files on the host system. Furthermore, the restoration logic assumes a specific directory structure within the ZIP archive. When given a minimalist or malformed archive, the code attempts to access an out-of-bounds index in a slice derived from the archive contents (specifically at line 154, accessing len(ms)-2), causing a runtime panic. This panic crashes the process immediately after the database has been wiped, resulting in permanent data loss. The vulnerability combines CWE-22 (Improper Limitation of a Pathname to a Restricted Directory) and CWE-248 (Uncaught Exception). The issue was fixed in version 2.0.0 by adding proper path sanitization and validation of archive contents before file operations. The CVSS 3.1 base score is 7.2, reflecting network attack vector, low attack complexity, required privileges, no user interaction, and high impact on confidentiality, integrity, and availability.

This vulnerability poses a significant risk to organizations using Vikunja versions prior to 2.0.0. An authenticated attacker with access to the restore functionality can supply a crafted ZIP archive to overwrite arbitrary files on the host system, potentially leading to privilege escalation, data corruption, or system compromise. The ability to overwrite critical system or application files can disrupt operations or facilitate further attacks. Additionally, the runtime panic triggered by malformed archives causes an immediate crash after wiping the database, resulting in permanent data loss and service downtime. Organizations relying on Vikunja for task management and project tracking may face operational disruption, loss of critical data, and potential exposure of sensitive information. The requirement for authentication limits the attack surface but does not eliminate risk, especially in environments with multiple users or weak access controls. The vulnerability affects confidentiality, integrity, and availability, making it a high-impact issue.

Organizations should upgrade Vikunja to version 2.0.0 or later, where this vulnerability is fixed. Until upgrading, restrict access to the restore functionality to trusted administrators only, minimizing the risk of malicious archive uploads. Implement strict input validation and sanitization on ZIP archive contents before restoration, ensuring file paths do not escape the intended extraction directory. Employ file system permissions and sandboxing to limit the impact of potential file overwrites. Regularly back up Vikunja databases and configuration files to enable recovery in case of data loss. Monitor application logs for unusual restore attempts or errors indicating malformed archives. Consider deploying runtime application self-protection (RASP) or file integrity monitoring to detect and prevent unauthorized file modifications. Finally, educate administrators on the risks of restoring from untrusted archives and enforce strong authentication and access controls.