Skip to main content

Python idna CVE-2026-45409

MEDIUM
Inefficient Regular Expression Complexity (ReDoS) (CWE-1333)
2026-05-19 https://github.com/kjd/idna GHSA-65pc-fj4g-8rjx
6.9
CVSS 4.0 · Vendor: https://github.com/kjd/idna
Share

Severity by source

Vendor (https://github.com/kjd/idna) PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
SUSE
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from Vendor (https://github.com/kjd/idna).

CVSS VectorVendor: https://github.com/kjd/idna

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
Jun 05, 2026 - 23:22 NVD
6.9 (MEDIUM)
Source Code Evidence Fetched
May 19, 2026 - 15:34 vuln.today
Analysis Generated
May 19, 2026 - 15:34 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 36 pypi packages depend on idna (31 direct, 5 indirect)

Ecosystem-wide dependent count for version 3.15.

DescriptionCVE.org

This is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. Payloads such as "\u0660" * N or "\u30fb" * N + "\u6f22" utilize the valid_contexto function prior to length rejection, and for high values of N will take a long time to process.

Impact

A specially crafted argument to the idna.encode() function could consume significant resources. This may lead to a denial-of-service.

Patches

Starting in version 3.14, the function rejects long inputs as soon as practicable prior to any further processing to minimize resource consumption. In version 3.15, this approach was extended to lesser used alternate functions (i.e. per-label conversions and codec support).

Workarounds

Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the idna.encode() function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.

AnalysisAI

Resource exhaustion in the Python idna library's idna.encode() function allows denial-of-service via specially crafted Unicode inputs that bypass the incomplete CVE-2024-3651 remediation. Affected versions process CONTEXTO-class codepoints - such as Arabic-Indic digit zero (U+0660) or Katakana middle dot (U+30FB) - through the valid_contexto validation function before length rejection occurs, enabling arbitrarily large inputs to consume significant CPU. Any Python application that passes unvalidated user input to idna.encode() or related per-label/codec functions without upstream length enforcement is exposed; no public exploit has been identified at time of analysis beyond the PoC payloads embedded in the advisory itself.

Technical ContextAI

The idna Python package (pkg:pip/idna) implements RFC 5891 Internationalized Domain Names in Applications encoding, converting Unicode domain labels to their ASCII-compatible encoding (ACE) form. The root cause is CWE-1333 (Inefficient Regular Expression Complexity / Algorithmic Complexity): certain Unicode codepoints carry a CONTEXTO joining property under RFC 5892, meaning their validity depends on surrounding characters and requires iterative context inspection via the valid_contexto function. The original CVE-2024-3651 fix introduced a length check in idna.encode(), but positioned it after the valid_contexto call for CONTEXTO codepoints. An input of N repetitions of U+0660 (Arabic-Indic digit zero) or a combination of U+30FB (Katakana middle dot) and U+6F22 (CJK unified ideograph) triggers O(N)-or-worse processing in valid_contexto before the length guard fires, creating a CPU exhaustion vector. Version 3.14 moved the length rejection earlier in the primary encode path; version 3.15 extended this hardening to per-label conversion functions and codec support.

RemediationAI

Upgrade idna to version 3.15 or later via pip install --upgrade idna, which is the vendor-released complete fix per GitHub Advisory GHSA-65pc-fj4g-8rjx. Version 3.14 is a partial fix covering the primary idna.encode() function but does not address per-label conversions or codec paths; version 3.15 is required for full remediation. As a compensating control, enforce the DNS maximum domain label and name length (253 characters total) at the application layer before any call to idna.encode() or related functions - this prevents arbitrarily long inputs from reaching the vulnerable processing path. This input validation should be treated as a defense-in-depth measure even after patching, since it enforces a valid protocol constraint regardless of library behavior. Applications using codec or per-label APIs should be audited specifically, as these paths were only hardened in 3.15. Full advisory: https://github.com/kjd/idna/security/advisories/GHSA-65pc-fj4g-8rjx.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed
SUSE Linux Enterprise High Performance Computing 12 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Micro 5.3 Fixed

Share

CVE-2026-45409 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy