Skip to main content

CVE-2026-33635

MEDIUM
Improper Neutralization of CRLF Sequences ('CRLF Injection') (CWE-93)
2026-03-24 https://github.com/icalendar/icalendar
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 24, 2026 - 19:15 vuln.today
Patch released
Mar 24, 2026 - 19:15 nvd
Patch available
CVE Published
Mar 24, 2026 - 19:13 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

Summary

.ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitrary calendar lines to the output.

Details

Icalendar::Values::Uri falls back to the raw input string when URI.parse fails and later serializes it with value.to_s without removing or escaping \r or \n characters. That value is embedded directly into the final ICS line by the normal serializer, so a payload containing CRLF can terminate the original property and create a new ICS property or component. (It looks like you can inject via url, source, image, organizer, attach, attendee, conference, tzurl because of this)

Relevant code:

  • lib/icalendar/values/uri.rb:16

PoC

Run the following with the library loaded:

ruby
require "icalendar/value"
require "icalendar/values/uri"

v = Icalendar::Values::Uri.new("https://a.example/ok\r\nATTENDEE:mailto:evil@example.com")
puts v.to_ical(Icalendar::Values::Text)

output:

text
;VALUE=URI:https://a.example/ok
ATTENDEE:mailto:evil@example.com

Impact

Applications that generate .ics files from partially untrusted metadata are impacted. As a result, downstream calendar clients or importers may process attacker-supplied content as if it were legitimate event data, such as added attendees, modified URLs, alarms, or other calendar fields.

Fix

Reject raw CR and LF characters in URI-typed values before serialization, or escape/encode them so they cannot terminate the current ICS content line.

AnalysisAI

The Ruby icalendar library versions prior to the patched commit fail to sanitize carriage return and line feed characters in URI property values, allowing attackers to inject arbitrary ICS calendar lines through CRLF injection. Applications that generate .ics files from untrusted metadata are affected, enabling attackers to add malicious calendar properties such as attendees, URLs, or alarms that downstream calendar clients will process as legitimate event data. A proof-of-concept demonstrating the vulnerability is publicly available, and a patch is available from the vendor.

Technical ContextAI

The vulnerability exists in the icalendar Ruby gem (CPE: pkg:rubygems/icalendar) in the Icalendar::Values::Uri class at lib/icalendar/values/uri.rb:16. When URI.parse fails on attacker-controlled input, the library falls back to using the raw input string directly. During serialization via to_ical, this raw string is embedded into the ICS output without escaping or removing CR (\r) and LF (\n) characters. ICS (iCalendar) format uses CRLF as line terminators; an attacker can exploit this to terminate the current property line prematurely and inject new ICS properties or components. The root cause is classified as CWE-93 (Improper Neutralization of CRLF Sequences in HTTP Headers), which applies equally to ICS injection. Multiple URI-typed properties are affected, including url, source, image, organizer, attach, attendee, conference, and tzurl.

RemediationAI

Update the icalendar Ruby gem to a version containing commit b8d23b490363ee5fffaec1d269a8618a912ca265 or later, as referenced in the patch at https://github.com/icalendar/icalendar/commit/b8d23b490363ee5fffaec1d269a8618a912ca265. The fix rejects or escapes CR and LF characters in URI-typed property values before serialization. Until patching is possible, implement input validation by rejecting or sanitizing any user-supplied metadata intended for calendar export, specifically stripping or URL-encoding carriage returns and line feeds from fields mapped to URI properties. Additionally, apply defense-in-depth by enforcing strict output validation on generated .ics files to ensure no unexpected CRLF sequences appear outside legitimate line boundaries.

Share

CVE-2026-33635 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy