Oikos

v0.60.4 Security

This release includes 1 security fix for security teams reviewing exposed deployments.

Published 10h Productivity & Wikis

✓ No known CVEs patched

This release patches 1 known CVE

Topics

docker family family-planner home-automation planner-app privacy-first

+4 more

progressive-web-app pwa self-hosted selfhosted-apps

ReleasePort's take

Moderate signal

editorial:auto 7h

Release v0.60.4 fixes a regular‑expression denial‑of‑service (ReDoS) vulnerability in the ICS calendar parser.

Why it matters: The ReDoS flaw (severity 90) can cause service unavailability; upgrade to v0.60.4 immediately.

AI summary

Fixes a regular-expression denial-of-service vulnerability in the ICS calendar parser.

Type	Severity	Summary	CVE
Security	Critical	Fixes a regular-expression denial-of-service (ReDoS) in the ICS calendar parser. Fixes a regular-expression denial-of-service (ReDoS) in the ICS calendar parser. Source: llm_adapter@2026-06-03 Confidence: high	—
Security	Medium	Applies API rate limiter to admin-only `/docs` and `/openapi.json` endpoints. Applies API rate limiter to admin-only `/docs` and `/openapi.json` endpoints. Source: llm_adapter@2026-06-03 Confidence: high	—
Bugfix	Medium	Preserves time of day for tasks with `VALUE=DATE-TIME` due dates. Preserves time of day for tasks with `VALUE=DATE-TIME` due dates. Source: llm_adapter@2026-06-03 Confidence: high	—

Full changelog

Fix a regular-expression denial-of-service (ReDoS) in the ICS calendar parser (CodeQL #10). The parameter-list patterns matching DUE/DTSTART lines allowed catastrophic backtracking on a crafted line containing many ; separators without a closing colon, which could freeze the server while parsing a malicious subscribed or imported calendar. The inner character class is now restricted so the separator and parameter content no longer overlap.
Apply the API rate limiter to the admin-only /docs and /openapi.json endpoints (CodeQL #11, #12). Both routes live outside the rate-limited /api/ path and were previously unthrottled.

Keep the time of day for tasks whose DUE value uses VALUE=DATE-TIME. A word boundary in the date-only detection also matched VALUE=DATE-TIME, so timed reminders imported via CalDAV/ICS were truncated to their date and lost their time.

Fix regular-expression denial-of-service (ReDoS) in ICS calendar parser caused by catastrophic backtracking on crafted `DUE`/`DTSTART` lines with many `;` separators.

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Track Oikos

Get notified when new releases ship.

About Oikos

Family planner for small households