CVE-2025-71063
Unknown Unknown - Not Provided
TLS Certificate Validation Bypass in Errands Before

Publication date: 2026-01-12

Last updated on: 2026-02-05

Assigner: MITRE

Description
Errands before 46.2.10 does not verify TLS certificates for CalDAV servers.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-12
Last Modified
2026-02-05
Generated
2026-06-16
AI Q&A
2026-01-13
EPSS Evaluated
2026-06-14
NVD
CVE-2025-71063
EUVD
EUVD-2026-1930
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
mrvladus errands to 46.2.10 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-295 The product does not validate, or incorrectly validates, a certificate.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-71063 is a security vulnerability in the Errands application where TLS certificate verification for CalDAV servers was disabled by default before version 46.2.10. This means Errands accepted any TLS certificate, including invalid or malicious ones, without validating them. As a result, users are exposed to man-in-the-middle (MITM) attacks, allowing attackers to intercept or alter sensitive calendar and task data. The vulnerability stems from the Errands Python code explicitly setting ssl_verify_cert=False, bypassing proper SSL/TLS certificate validation. [1, 4]

Impact Analysis

This vulnerability can lead to man-in-the-middle attacks where an attacker intercepts or modifies your calendar and task data, which often contains private and sensitive personal information. Additionally, because Errands uses HTTP Basic authentication, credentials could be exposed in plaintext if TLS is compromised. This puts your data confidentiality and integrity at risk, potentially leading to credential theft and unauthorized data access. [1]

Detection Guidance

This vulnerability can be detected by inspecting the Errands application's configuration or source code to check if TLS certificate verification is disabled (i.e., if `ssl_verify_cert` is set to False) when connecting to CalDAV servers. Since Errands disables TLS certificate verification unconditionally in versions before 46.2.10, you can look for this setting in the Python CalDAV library usage within the application. Additionally, monitoring network traffic for TLS connections without proper certificate validation or using tools to detect man-in-the-middle attacks on CalDAV HTTPS connections may help. However, no specific commands are provided in the available resources. [1, 4]

Mitigation Strategies

To mitigate this vulnerability immediately, update the Errands application to version 46.2.10 or later, where the hardcoded disabling of TLS certificate verification has been removed and proper certificate validation is enforced. This update restores secure TLS handling and prevents man-in-the-middle attacks. Until the update is applied, avoid using Errands for CalDAV synchronization over untrusted networks, or consider alternative clients that enforce TLS certificate verification. The fix involves removing `ssl_verify_cert=False` so that SSL certificates are properly validated. [1, 5]

Compliance Impact

The vulnerability in Errands disables TLS certificate verification for CalDAV servers, exposing users to man-in-the-middle attacks that can intercept or alter sensitive calendar and task data containing private personal information. This undermines the confidentiality and integrity of user data, which are critical requirements under common standards and regulations such as GDPR and HIPAA. By allowing credential theft and data interception, the vulnerability could lead to non-compliance with these regulations' mandates for protecting personal and sensitive information during transmission. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-71063. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart