CVE-2025-71063
TLS Certificate Validation Bypass in Errands Before
Publication date: 2026-01-12
Last updated on: 2026-02-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mrvladus | errands | to 46.2.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-71063 is a security vulnerability in the Errands application where TLS certificate verification for CalDAV servers was disabled by default before version 46.2.10. This means Errands accepted any TLS certificate, including invalid or malicious ones, without validating them. As a result, users are exposed to man-in-the-middle (MITM) attacks, allowing attackers to intercept or alter sensitive calendar and task data. The vulnerability stems from the Errands Python code explicitly setting ssl_verify_cert=False, bypassing proper SSL/TLS certificate validation. [1, 4]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Errands disables TLS certificate verification for CalDAV servers, exposing users to man-in-the-middle attacks that can intercept or alter sensitive calendar and task data containing private personal information. This undermines the confidentiality and integrity of user data, which are critical requirements under common standards and regulations such as GDPR and HIPAA. By allowing credential theft and data interception, the vulnerability could lead to non-compliance with these regulations' mandates for protecting personal and sensitive information during transmission. [1]
How can this vulnerability impact me? :
This vulnerability can lead to man-in-the-middle attacks where an attacker intercepts or modifies your calendar and task data, which often contains private and sensitive personal information. Additionally, because Errands uses HTTP Basic authentication, credentials could be exposed in plaintext if TLS is compromised. This puts your data confidentiality and integrity at risk, potentially leading to credential theft and unauthorized data access. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the Errands application's configuration or source code to check if TLS certificate verification is disabled (i.e., if `ssl_verify_cert` is set to False) when connecting to CalDAV servers. Since Errands disables TLS certificate verification unconditionally in versions before 46.2.10, you can look for this setting in the Python CalDAV library usage within the application. Additionally, monitoring network traffic for TLS connections without proper certificate validation or using tools to detect man-in-the-middle attacks on CalDAV HTTPS connections may help. However, no specific commands are provided in the available resources. [1, 4]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, update the Errands application to version 46.2.10 or later, where the hardcoded disabling of TLS certificate verification has been removed and proper certificate validation is enforced. This update restores secure TLS handling and prevents man-in-the-middle attacks. Until the update is applied, avoid using Errands for CalDAV synchronization over untrusted networks, or consider alternative clients that enforce TLS certificate verification. The fix involves removing `ssl_verify_cert=False` so that SSL certificates are properly validated. [1, 5]