Vikunja is an open-source, self-hosted task management platform that allows users to manage tasks and projects. Prior to version 2.0.0, the restoreConfig function in the dump module (vikunja/pkg/modules/dump/restore.go) contains a critical path traversal vulnerability (CWE-22). This function processes ZIP archives to restore configuration and data. However, it fails to sanitize or validate the file paths contained within the ZIP archive entries. Specifically, the application uses the Name attribute from the zip.File struct directly in os.OpenFile calls without any path normalization or restriction checks. This allows an attacker to craft a ZIP archive with file paths containing directory traversal sequences (e.g., ../) to write files outside the intended extraction directory, potentially overwriting arbitrary files on the host system. This can lead to arbitrary code execution or system compromise depending on which files are overwritten. Furthermore, the restoration logic assumes a specific directory structure within the ZIP archive. When provided with a minimalist or malformed archive, the code attempts to access an index at len(ms)-2 on a slice derived from the archive contents without validating the slice length. This results in a runtime panic that crashes the process immediately after the database has been wiped permanently, causing denial of service and data loss. The vulnerability requires authenticated access to the restore functionality but does not require user interaction. The CVSS v3.1 score is 7.2 (high), with vector AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating network exploitability with low attack complexity, requiring high privileges, no user interaction, and impacting confidentiality, integrity, and availability. Version 2.0.0 of Vikunja fixes these issues by properly sanitizing file paths and validating archive structure before processing.

The vulnerability allows an authenticated attacker to perform arbitrary file overwrite on the host system by exploiting path traversal in the restoration ZIP archive processing. This can lead to severe consequences including arbitrary code execution, privilege escalation, or persistent backdoors if critical system or application files are overwritten. Additionally, the malformed archive-induced panic causes immediate application crash after permanent database deletion, resulting in data loss and denial of service. Organizations relying on Vikunja for task and project management face risks of operational disruption, data integrity compromise, and potential system takeover. Since the vulnerability affects restoration functionality, attackers with access to backup or restore features can weaponize this flaw. The high CVSS score reflects the broad impact on confidentiality, integrity, and availability. Although exploitation requires authenticated access, insider threats or compromised credentials could enable attacks. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate it, especially as public disclosure may lead to exploit development. Organizations using affected versions should consider this a critical security issue requiring prompt remediation to avoid data loss, service disruption, and potential system compromise.

1. Upgrade Vikunja to version 2.0.0 or later, where the vulnerability is fixed with proper path sanitization and archive validation. 2. Until upgrade is possible, restrict access to the restore functionality to trusted administrators only, minimizing the risk of malicious archive uploads. 3. Implement network-level access controls and multi-factor authentication to reduce the risk of unauthorized authenticated access. 4. Monitor logs for unusual restore operations or failed attempts that could indicate exploitation attempts. 5. Validate and scan all backup and restore archives for suspicious file paths before processing. 6. Employ file system monitoring to detect unexpected file modifications outside designated directories. 7. Regularly back up data and verify backup integrity to enable recovery in case of data loss from exploitation. 8. Consider running Vikunja restoration processes in isolated environments or containers with limited file system permissions to contain potential damage. 9. Educate administrators on the risks of importing untrusted ZIP archives and enforce strict operational procedures around restoration. 10. Stay informed on any emerging exploit reports or patches related to this vulnerability.