Description
Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `"\u0660" * N` or `"\u30fb" * N + "\u6f22"` utilize the `valid_contexto` function prior to length rejection, and for high values of `N` will take a long time to process. This is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. A specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service. Starting in version 3.14, the function rejects long inputs as soon as practicable prior to any further processing to minimize resource consumption. In version 3.15, this approach was extended to lesser used alternate functions (i.e. per-label conversions and codec support). A workaround is available. Domain names cannot exceed 253 characters in length. If this length limit is enforced prior to passing the domain to the `idna.encode()` function, it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.
Published: 2026-06-05
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A specially crafted input to the idna.encode() function in the idna library can cause the routine to spend an excessive amount of time processing Unicode strings, resulting in significant resource consumption and potential denial of service. The flaw is a length-based time‑consumption issue identified as CWE-1333.

Affected Systems

The vulnerability affects the kjd:idna library for Python in all releases prior to version 3.15. Any Python application that imports and uses this library without applying the 3.15 update or additional input validation is potentially impacted.

Risk and Exploitability

With a CVSS score of 6.9, the flaw presents a moderate severity risk. No EPSS score is available, and the issue is not listed in the CISA KEV catalog. The likely attack vector involves providing a user‑controlled or externally supplied domain string containing a very high repetition of certain Unicode characters to the idna.encode() call, causing the application to consume excessive CPU resources. The vulnerability does not expose any direct code‑execution path and requires only the ability to influence the input to the library.

Generated by OpenCVE AI on June 5, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the idna library to version 3.15 or later to ensure proper early length rejection for all functions.
  • Before calling idna.encode(), enforce a maximum domain name length of 253 characters as a defensive guard against excessive input.
  • Apply application‑level input validation that rejects or sanitizes unusually long or repetitive domain strings before they reach the idna.encode() function.

Generated by OpenCVE AI on June 5, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-65pc-fj4g-8rjx Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
History

Fri, 05 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `"\u0660" * N` or `"\u30fb" * N + "\u6f22"` utilize the `valid_contexto` function prior to length rejection, and for high values of `N` will take a long time to process. This is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. A specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service. Starting in version 3.14, the function rejects long inputs as soon as practicable prior to any further processing to minimize resource consumption. In version 3.15, this approach was extended to lesser used alternate functions (i.e. per-label conversions and codec support). A workaround is available. Domain names cannot exceed 253 characters in length. If this length limit is enforced prior to passing the domain to the `idna.encode()` function, it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.
Title Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix
Weaknesses CWE-1333
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T22:06:07.082Z

Reserved: 2026-05-12T01:48:40.452Z

Link: CVE-2026-45409

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T23:16:43.343

Modified: 2026-06-05T23:16:43.343

Link: CVE-2026-45409

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T23:30:07Z

Weaknesses