CVE-2026-33635
Description
iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-5545. Starting in version 2.0.0 and prior to version 2.12.2, .ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitrary calendar lines to the output. Icalendar::Values::Uri falls back to the raw input string when URI.parse fails and later serializes it with value.to_s without removing or escaping \r or \n characters. That value is embedded directly into the final ICS line by the normal serializer, so a payload containing CRLF can terminate the original property and create a new ICS property or component. (It looks like you can inject via url, source, image, organizer, attach, attendee, conference, tzurl because of this). Applications that generate .ics files from partially untrusted metadata are impacted. As a result, downstream calendar clients or importers may process attacker-supplied content as if it were legitimate event data, such as added attendees, modified URLs, alarms, or other calendar fields. Version 2.12.2 contains a patch for the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
icalendarRubyGems | >= 2.0.0, < 2.12.2 | 2.12.2 |
Affected products
1- cpe:2.3:a:icalendar_project:icalendar:*:*:*:*:*:ruby:*:*Range: >=2.0.0,<2.12.2
Patches
1b8d23b490363Merge commit from fork
2 files changed · +45 −1
lib/icalendar/values/uri.rb+2 −1 modified@@ -6,14 +6,15 @@ module Icalendar module Values class Uri < Value + CONTROL_BYTES_REGEX = /[\x00-\x1F\x7F]/.freeze def initialize(value, *args) parsed = URI.parse(value) rescue value super parsed, *args end def value_ical - value.to_s + value.to_s.gsub(CONTROL_BYTES_REGEX) { |char| "%%%02X" % char.ord } end end
spec/values/uri_spec.rb+43 −0 added@@ -0,0 +1,43 @@ +require 'spec_helper' + +describe Icalendar::Values::Uri do + describe '#value_ical' do + it 'percent-encodes CRLF to prevent content-line injection' do + value = described_class.new("https://a.example/ok\r\nATTENDEE:mailto:evil@example.com") + + expect(value.value_ical).to eq('https://a.example/ok%0D%0AATTENDEE:mailto:evil@example.com') + end + + it 'percent-encodes the full ASCII control range' do + raw = "https://example.com/a\tb\f#{0.chr}#{127.chr}" + value = described_class.new(raw) + + expect(value.value_ical).to eq('https://example.com/a%09b%0C%00%7F') + end + + it 'leaves valid printable URI characters unchanged' do + raw = 'https://example.com/a-path?q=one%20two&x=@tag#frag' + value = described_class.new(raw) + + expect(value.value_ical).to eq(raw) + end + end + + describe '#to_ical' do + it 'serializes injected CRLF on the same content line' do + value = described_class.new("https://a.example/ok\r\nATTENDEE:mailto:evil@example.com") + + expect(value.to_ical(Icalendar::Values::Text)).to eq( + ';VALUE=URI:https://a.example/ok%0D%0AATTENDEE:mailto:evil@example.com' + ) + end + end +end + +describe Icalendar::Values::CalAddress do + it 'inherits URI control-byte encoding' do + value = described_class.new("mailto:user@example.com\r\nORGANIZER:mailto:evil@example.com") + + expect(value.value_ical).to eq('mailto:user@example.com%0D%0AORGANIZER:mailto:evil@example.com') + end +end
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/icalendar/icalendar/commit/b8d23b490363ee5fffaec1d269a8618a912ca265nvdPatchWEB
- github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxqnvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-pv9c-9mfh-hvxqghsaADVISORY
- github.com/rubysec/ruby-advisory-db/blob/master/gems/icalendar/CVE-2026-33635.ymlnvdMitigationVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-33635ghsaADVISORY
News mentions
0No linked articles in our index yet.