Intel

AIKIDO-2026-725341

icalendar is vulnerable to Denial of Service (DoS)

Denial of Service (DoS)CVE-2026-55099 Published 3 days ago

75

High Risk

This Affects:

PYTHONicalendar
7.1.0 - 7.1.2
Fixed in 7.1.3
Are you affected? Scan for Free

TL;DR

The Component.__eq__ method compares subcomponents with nested membership loops that recurse into each child, so an equality check runs in O(2^n) time relative to component nesting depth. Because the parser imposes no limit on nesting depth, a small crafted .ics file containing deeply nested equal subtrees can make a single comparison run for minutes or hang indefinitely while pinning a CPU core. Any application that compares parsed calendar components with ==, !=, in, set or dict membership, deduplication, or round-trip checks against attacker-supplied data is exposed to an unauthenticated denial of service. The fix rewrites Component.__eq__ to walk an explicit stack, matching each pair of nested components exactly once so equality becomes linear in the number of components.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application compares parsed calendar components (for example with ==, in, set or dict membership, or deduplication) against untrusted calendar data.

Background info

icalendar is vulnerable to Denial of Service (DoS) in versions 7.1.0 - 7.1.2.

How to fix this

Upgrade the icalendar library to the patch version.