CVE-2026-33635
MEDIUMSeverity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Summary
.ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitrary calendar lines to the output.
Details
Icalendar::Values::Uri falls back to the raw input string when URI.parse fails and later serializes it with value.to_s without removing or escaping \r or \n characters. That value is embedded directly into the final ICS line by the normal serializer, so a payload containing CRLF can terminate the original property and create a new ICS property or component. (It looks like you can inject via url, source, image, organizer, attach, attendee, conference, tzurl because of this)
Relevant code:
lib/icalendar/values/uri.rb:16
PoC
Run the following with the library loaded:
require "icalendar/value"
require "icalendar/values/uri"
v = Icalendar::Values::Uri.new("https://a.example/ok\r\nATTENDEE:mailto:evil@example.com")
puts v.to_ical(Icalendar::Values::Text)output:
;VALUE=URI:https://a.example/ok
ATTENDEE:mailto:evil@example.comImpact
Applications that generate .ics files from partially untrusted metadata are impacted. As a result, downstream calendar clients or importers may process attacker-supplied content as if it were legitimate event data, such as added attendees, modified URLs, alarms, or other calendar fields.
Fix
Reject raw CR and LF characters in URI-typed values before serialization, or escape/encode them so they cannot terminate the current ICS content line.
AnalysisAI
The Ruby icalendar library versions prior to the patched commit fail to sanitize carriage return and line feed characters in URI property values, allowing attackers to inject arbitrary ICS calendar lines through CRLF injection. Applications that generate .ics files from untrusted metadata are affected, enabling attackers to add malicious calendar properties such as attendees, URLs, or alarms that downstream calendar clients will process as legitimate event data. A proof-of-concept demonstrating the vulnerability is publicly available, and a patch is available from the vendor.
Technical ContextAI
The vulnerability exists in the icalendar Ruby gem (CPE: pkg:rubygems/icalendar) in the Icalendar::Values::Uri class at lib/icalendar/values/uri.rb:16. When URI.parse fails on attacker-controlled input, the library falls back to using the raw input string directly. During serialization via to_ical, this raw string is embedded into the ICS output without escaping or removing CR (\r) and LF (\n) characters. ICS (iCalendar) format uses CRLF as line terminators; an attacker can exploit this to terminate the current property line prematurely and inject new ICS properties or components. The root cause is classified as CWE-93 (Improper Neutralization of CRLF Sequences in HTTP Headers), which applies equally to ICS injection. Multiple URI-typed properties are affected, including url, source, image, organizer, attach, attendee, conference, and tzurl.
RemediationAI
Update the icalendar Ruby gem to a version containing commit b8d23b490363ee5fffaec1d269a8618a912ca265 or later, as referenced in the patch at https://github.com/icalendar/icalendar/commit/b8d23b490363ee5fffaec1d269a8618a912ca265. The fix rejects or escapes CR and LF characters in URI-typed property values before serialization. Until patching is possible, implement input validation by rejecting or sanitizing any user-supplied metadata intended for calendar export, specifically stripping or URL-encoding carriage returns and line feeds from fields mapped to URI properties. Additionally, apply defense-in-depth by enforcing strict output validation on generated .ics files to ensure no unexpected CRLF sequences appear outside legitimate line boundaries.
Share
External POC / Exploit Code
Leaving vuln.today