icalendar is vulnerable to Denial of Service (DoS)
75
High Risk
The Component.__eq__ method compares subcomponents with nested membership loops that recurse into each child, so an equality check runs in O(2^n) time relative to component nesting depth. Because the parser imposes no limit on nesting depth, a small crafted .ics file containing deeply nested equal subtrees can make a single comparison run for minutes or hang indefinitely while pinning a CPU core. Any application that compares parsed calendar components with ==, !=, in, set or dict membership, deduplication, or round-trip checks against attacker-supplied data is exposed to an unauthenticated denial of service. The fix rewrites Component.__eq__ to walk an explicit stack, matching each pair of nested components exactly once so equality becomes linear in the number of components.
You are affected if you are using a version that falls within the vulnerable range and your application compares parsed calendar components (for example with ==, in, set or dict membership, or deduplication) against untrusted calendar data.
icalendar is vulnerable to Denial of Service (DoS) in versions 7.1.0 - 7.1.2.
Upgrade the icalendar library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant