GHSA/SYNC: 1 brand new advisory

Author: jasnow

gems/icalendar/CVE-2026-33635.yml

@@ -0,0 +1,51 @@
+---
+gem: icalendar
+cve: 2026-33635
+ghsa: pv9c-9mfh-hvxq
+url: https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq
+title: iCalendar has ICS injection via unsanitized URI property values
+date: 2026-03-24
+description: |
+  ### Summary
+
+  .ics serialization does not properly sanitize URI property values,
+  enabling ICS injection through attacker-controlled input, adding
+  arbitrary calendar lines to the output.
+
+  ### Details
+
+  `Icalendar::Values::Uri` falls back to the raw input string when
+  `URI.parse` fails and later serializes it with `value.to_s` without
+  removing or escaping `\r` or `\n` characters. That value is embedded
+  directly into the final ICS line by the normal serializer, so a
+  payload containing CRLF can terminate the original property and
+  create a new ICS property or component. (It looks like you can
+  inject via url, source, image, organizer, attach, attendee,
+  conference, tzurl because of this)
+
+  Relevant code:
+  - `lib/icalendar/values/uri.rb:16`
+
+  ### Impact
+
+  Applications that generate `.ics` files from partially untrusted
+  metadata are impacted. As a result, downstream calendar clients
+  or importers may process attacker-supplied content as if it were
+  legitimate event data, such as added attendees, modified URLs,
+  alarms, or other calendar fields.
+
+  ## Fix
+
+  Reject raw CR and LF characters in `URI`-typed values before
+  serialization, or escape/encode them so they cannot terminate
+  the current ICS content line.
+cvss_v3: 4.3
+unaffected_versions:
+  - "< 2.0.0"
+patched_versions:
+  - ">= 2.12.2"
+related:
+  url:
+    - https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq
+    - https://github.com/icalendar/icalendar/commit/b8d23b490363ee5fffaec1d269a8618a912ca265
+    - https://github.com/advisories/GHSA-pv9c-9mfh-hvxq