CVE-2024-3651 - Denial of Service Vulnerability in `idna.encode()` (kjd/idna 3.6)

A new vulnerability, CVE-2024-3651, has been discovered in the popular Python idna library (version 3.6), maintained by kjd. This issue affects the idna.encode() function, allowing attackers to exploit it for denial of service (DoS) by crafting special input strings that force the function to use an excessive amount of CPU time.

This article explains the vulnerability, how it works, and what you can do about it.

What is idna?

idna is a widely used Python library for Internationalized Domain Names in Applications (IDNA), converting Unicode domains to ASCII so they can be used with DNS.

Example usage

import idna

print(idna.encode("müller.com").decode())
# Output: xn--mller-kva.com

Where is the problem?

The vulnerability lies in the implementation of idna.encode() in version 3.6. When handling certain crafted input, the function falls into a quadratic complexity trap. This means:

Impact

By providing a specially constructed string, an attacker could cause the function to take much longer than expected, and in a web server scenario, tie up resources until your application becomes unresponsive.

How Does the Attack Work?

Attackers generate an input that triggers the function's worst-case behavior—usually by repeatedly forcing the function to recompute large substrings or handle certain edge cases repeatedly.

For example, repeatedly using joiner code points or combining marks in a way that triggers deep internal processing.

Exploit Example

Below is a simplified illustration showing how such an input can slow down idna.encode().

import idna
import time

# Construct a malicious crafted input
# Here "\u030" is a combining grave accent
evil_input = "a" + "\u030" * 100   # 'a' followed by 100 combining marks

start_time = time.time()
idna.encode(evil_input)
end_time = time.time()

print(f"Encoding took {end_time - start_time:.2f} seconds")

With enough combining marks, this process gets slower exponentially compared to normal input.

Links & References

- GitHub Issue/PR tracking CVE-2024-3651 (If/when available)
- NVD entry for CVE-2024-3651
- Upstream Advisory
- idna encode() documentation

Upgrade idna:

The issue is fixed in idna 3.7.

Validate Input:

If you cannot update right away, reject or filter unusually long or suspicious Unicode inputs before processing with idna.encode().

Set Timeouts:

For web servers, set input size limits and timeouts on requests to prevent long-running processes from hogging resources.

Always keep dependencies up to date

- Use a dependency vulnerability scanner (like pip-audit or Safety)

Conclusion

CVE-2024-3651 demonstrates how complex text processing can open unexpected doors for attackers. The best defense is keeping your project’s dependencies updated and applying input validation and resource controls where untrusted data is processed.

If your Python product uses idna, check your version! Upgrade to 3.7 or later.

Timeline

Published on: 07/07/2024 18:15:09 UTC
Last modified on: 07/11/2024 14:58:01 UTC