Skip to content

Commit 0f5d4d6

Browse files
jasnowRubySec CI
jasnow
authored and
RubySec CI
committed
Updated advisory posts against rubysec/ruby-advisory-db@aa2bacb 
1 parent 85bec7f commit 0f5d4d6

File tree

1 file changed

+59
-0
lines changed

1 file changed

+59
-0
lines changed

advisories/_posts/2026-03-24-CVE-2026-33635.md

Lines changed: 59 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,59 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2026-33635 (icalendar): iCalendar has ICS injection via unsanitized URI
4+
property values'
5+
comments: false
6+
categories:
7+
- icalendar
8+
advisory:
9+
gem: icalendar
10+
cve: 2026-33635
11+
ghsa: pv9c-9mfh-hvxq
12+
url: https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq
13+
title: iCalendar has ICS injection via unsanitized URI property values
14+
date: 2026-03-24
15+
description: |
16+
### Summary
17+
18+
.ics serialization does not properly sanitize URI property values,
19+
enabling ICS injection through attacker-controlled input, adding
20+
arbitrary calendar lines to the output.
21+
22+
### Details
23+
24+
`Icalendar::Values::Uri` falls back to the raw input string when
25+
`URI.parse` fails and later serializes it with `value.to_s` without
26+
removing or escaping `\r` or `\n` characters. That value is embedded
27+
directly into the final ICS line by the normal serializer, so a
28+
payload containing CRLF can terminate the original property and
29+
create a new ICS property or component. (It looks like you can
30+
inject via url, source, image, organizer, attach, attendee,
31+
conference, tzurl because of this)
32+
33+
Relevant code:
34+
- `lib/icalendar/values/uri.rb:16`
35+
36+
### Impact
37+
38+
Applications that generate `.ics` files from partially untrusted
39+
metadata are impacted. As a result, downstream calendar clients
40+
or importers may process attacker-supplied content as if it were
41+
legitimate event data, such as added attendees, modified URLs,
42+
alarms, or other calendar fields.
43+
44+
## Fix
45+
46+
Reject raw CR and LF characters in `URI`-typed values before
47+
serialization, or escape/encode them so they cannot terminate
48+
the current ICS content line.
49+
cvss_v3: 4.3
50+
unaffected_versions:
51+
- "< 2.0.0"
52+
patched_versions:
53+
- ">= 2.12.2"
54+
related:
55+
url:
56+
- https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq
57+
- https://github.com/icalendar/icalendar/commit/b8d23b490363ee5fffaec1d269a8618a912ca265
58+
- https://github.com/advisories/GHSA-pv9c-9mfh-hvxq
59+
---

0 commit comments

Comments
 (0)