CVE-2026-33474

Name of the Vulnerable Software and Affected Versions Vikunja versions prior to 2.2.0

Description The software is susceptible to a denial-of-service (DoS) condition triggered by unbounded image decoding and resizing during preview generation. An attacker can exploit this by providing a highly compressed but extremely large-dimension image. The initial preview generation for each attachment can consume significant CPU and memory resources. Multiple attachments or concurrent requests can lead to service degradation or crashes. The issue stems from the lack of input validation on image dimensions during the decoding and resizing process, specifically within the GetPreview function, the resizing path, and the API endpoint /api/v1/task attachment. The vulnerability can be triggered by uploading a 10,000x10,000 PNG image, which expands to approximately 100MB in memory during decoding and causes substantial CPU load during resizing. The first preview request performs the heavy work, but subsequent requests are served from a cache. A proof-of-concept (POC) script utilizing curl and python3 (Pillow) demonstrates the generation of a large PNG image, its upload, and the subsequent request for an 'xl' preview, recording timing and memory metrics.

Recommendations Versions prior to 2.2.0 should be updated to a fixed version. Implement input validation to reject images exceeding maximum width, height, or total pixels. Consider adding per-user and per-attachment rate limiting for preview generation. Implement asynchronous preview generation with throttling and backpressure. Configure a cache eviction strategy to prevent repeated heavy processing.