PyPi: Idna

CVE-2024-3651

Safety vulnerability ID: 67895

This vulnerability was reviewed by experts

The information on this page was manually curated by our Cybersecurity Intelligence Team.

Created at Jul 07, 2024 Updated at Nov 29, 2024

Scan your Python projects for vulnerabilities →

Advisory

Affected versions of Idna are vulnerable to Denial Of Service via the idna.encode(), where a specially crafted argument could lead to significant resource consumption. In version 3.7, this function has been updated to reject such inputs efficiently, minimizing resource use. A practical workaround involves enforcing a maximum domain name length of 253 characters before encoding, as the vulnerability is triggered by unusually large inputs that normal operations wouldn't encounter.

Affected package

idna

Latest version: 3.10

Internationalized Domain Names in Applications (IDNA)

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

Use this package?

Scan your Python project for dependency vulnerabilities in two minutes

Scan your application

Severity Details

CVSS Base Score

HIGH 7.5

CVSS v3 Details

HIGH 7.5

Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality Impact (C): NONE
Integrity Impact (I): NONE
Availability Availability (A): HIGH