CVE-2025-71063 – Errands versions before 46.2.10 fail to validat... (How to Fix)

Q: What is the severity of CVE-2025-71063?

CVE-2025-71063 has a CVSS score of 8.2 (HIGH). Errands versions before 46.2.10 fail to validate TLS certificates when connecting to CalDAV servers, allowing man-in-the-middle attackers to intercept or manipulate calendar data. This affects all users of Errands who sync with CalDAV servers over untrusted networks.

📋 TL;DR

Errands versions before 46.2.10 fail to validate TLS certificates when connecting to CalDAV servers, allowing man-in-the-middle attackers to intercept or manipulate calendar data. This affects all users of Errands who sync with CalDAV servers over untrusted networks.

💻 Affected Systems

Products:

Errands

Versions: All versions before 46.2.10

Operating Systems: All platforms running Errands

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects users who configure CalDAV server synchronization.

📦 What is this software?

Errands by Mrvladus

View all CVEs affecting Errands →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could intercept sensitive calendar data, inject malicious events, or steal authentication credentials via man-in-the-middle attacks on unsecured connections.

🟠

Likely Case

Calendar data exposure or manipulation when users connect to CalDAV servers over public or compromised networks.

🟢

If Mitigated

Limited impact if connections only occur over trusted internal networks with proper network segmentation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires man-in-the-middle position between client and CalDAV server.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 46.2.10

Vendor Advisory: https://github.com/mrvladus/Errands/releases/tag/46.2.10

Restart Required: Yes

Instructions:

1. Update Errands to version 46.2.10 or later. 2. Restart the application. 3. Verify TLS certificate validation is now enforced for CalDAV connections.

🔧 Temporary Workarounds

Disable CalDAV synchronization

all

Temporarily disable calendar synchronization with CalDAV servers until patched.

Use VPN for CalDAV connections

all

Route all CalDAV traffic through a trusted VPN to prevent man-in-the-middle attacks.

🧯 If You Can't Patch

Only use CalDAV synchronization over trusted internal networks
Implement network monitoring for unexpected certificate warnings or connection errors

🔍 How to Verify

Check if Vulnerable:

Check Errands version in application settings or via 'errands --version' command. If version is earlier than 46.2.10 and CalDAV is configured, system is vulnerable.

Check Version:

errands --version

Verify Fix Applied:

After updating to 46.2.10+, test CalDAV connection with an invalid certificate - application should reject the connection.

📡 Detection & Monitoring

Log Indicators:

Certificate validation errors
Failed CalDAV connections
Unexpected certificate warnings

Network Indicators:

Unencrypted or improperly encrypted CalDAV traffic
Certificate validation bypass attempts

SIEM Query:

source="errands.log" AND ("certificate" OR "TLS" OR "CalDAV") AND ("error" OR "warning" OR "failed")

📊 Metadata

CVE ID: CVE-2025-71063

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L

CWE: CWE-295

EPSS Score: 0.02% exploit probability (2.9th percentile)

Published: January 12, 2026

Last Updated: February 5, 2026

🔗 References

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1123738 Third Party Advisory,Mailing List
https://github.com/mrvladus/Errands/commit/04e567b432083fc798ea2249363ea6c83ff01099 Patch
https://github.com/mrvladus/Errands/compare/46.2.9...46.2.10 Patch
https://github.com/mrvladus/Errands/issues/401 Issue Tracking
https://github.com/mrvladus/Errands/releases/tag/46.2.10 Release Notes

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-71063, you might also want to check these: