CVE-2026-33635— iCalendar 注入漏洞

iCalendar has ICS injection via unsanitized URI property values

iCalendar is a Ruby library for dealing with iCalendar files in the iCalendar format defined by RFC-5545. Starting in version 2.0.0 and prior to version 2.12.2, .ics serialization does not properly sanitize URI property values, enabling ICS injection through attacker-controlled input, adding arbitrary calendar lines to the output. `Icalendar::Values::Uri` falls back to the raw input string when `URI.parse` fails and later serializes it with `value.to_s` without removing or escaping `\r` or `\n` characters. That value is embedded directly into the final ICS line by the normal serializer, so a payload containing CRLF can terminate the original property and create a new ICS property or component. (It looks like you can inject via url, source, image, organizer, attach, attendee, conference, tzurl because of this). Applications that generate `.ics` files from partially untrusted metadata are impacted. As a result, downstream calendar clients or importers may process attacker-supplied content as if it were legitimate event data, such as added attendees, modified URLs, alarms, or other calendar fields. Version 2.12.2 contains a patch for the issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

对CRLF序列的转义处理不恰当(CRLF注入)

iCalendar 注入漏洞

iCalendar是icalendar开源的一个处理iCalendar格式文件的Ruby库。 iCalendar 2.0.0版本至2.12.2版本存在注入漏洞，该漏洞源于.ics序列化未正确清理URI属性值，可能导致ICS注入攻击。

N/A

N/A