| Version | Supported |
|---|---|
| 2.x.x | ✅ |
| 1.x.x | ✅ |
| < 1.0 | ❌ |
We take the security of iCalDAV seriously. If you believe you have found a security vulnerability, please report it to us as described below.
Please do NOT report security vulnerabilities through public GitHub issues.
Instead, please use GitHub Security Advisories to report vulnerabilities privately.
Please include the following information in your report:
- Type of vulnerability (e.g., XXE, SSRF, injection, DoS)
- Full paths of affected source files
- Location of the affected code (tag/branch/commit or direct URL)
- Step-by-step instructions to reproduce the issue
- Proof-of-concept or exploit code (if possible)
- Impact assessment of the vulnerability
iCalDAV implements the following security measures:
- ICS Size Limits: Maximum file size enforced to prevent memory exhaustion
- RRULE Limits: Maximum recurrence expansion to prevent DoS
- URL Validation: Only
https://,http://, andwebcal://schemes allowed - Path Sanitization: Path traversal attempts are rejected
- XXE Prevention: External entity processing disabled in XML parser
- DTD Processing: Disabled by default
- Entity Expansion Limits: Configured to prevent billion laughs attack
- TLS by Default: HTTPS enforced for all CalDAV operations
- Certificate Validation: Full certificate chain validation
- Timeout Enforcement: Connection and read timeouts prevent hanging
When using iCalDAV in your application:
-
Credential Management
- Never log credentials or authentication tokens
- Use secure credential storage (e.g., Android Keystore)
- Consider OAuth2 where supported by the server
-
Network Security
- Always use HTTPS endpoints
- Consider certificate pinning for sensitive applications
- Implement rate limiting to avoid server abuse
-
Input Handling
- Validate calendar URLs before passing to the library
- Sanitize event data before displaying to users
- Be cautious with event URLs and attachments
-
Error Handling
- Don't expose stack traces to end users
- Log errors without sensitive information
- Handle parse errors gracefully
| Threat | Mitigation | Status |
|---|---|---|
| XXE Injection | External entities disabled | ✅ |
| SSRF via URL | URL scheme validation | ✅ |
| DoS via large ICS | Size limits enforced | ✅ |
| DoS via infinite RRULE | Expansion limits enforced | ✅ |
| Path Traversal | Path normalization | ✅ |
| Credential Leakage | No credential logging | ✅ |
| Man-in-the-Middle | TLS required | ✅ |
Security updates are released as patch versions (e.g., 1.0.1) and announced via:
- GitHub Security Advisories
- Release notes
We recommend enabling GitHub notifications for security advisories on this repository.
We thank the following individuals for responsibly disclosing security issues:
- (No reports yet)
This security policy was last updated in January 2026.