CVE-2026-45409
Analyzed Analyzed - Analysis Complete
Internationalized Domain Name Processing Denial of Service in Python IDNA

Publication date: 2026-06-05

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description
Internationalized Domain Names in Applications (IDNA) for Python provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. In versions prior to 3.15, payloads such as `"\u0660" * N` or `"\u30fb" * N + "\u6f22"` utilize the `valid_contexto` function prior to length rejection, and for high values of `N` will take a long time to process. This is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. A specially crafted argument to the `idna.encode()` function could consume significant resources. This may lead to a denial-of-service. Starting in version 3.14, the function rejects long inputs as soon as practicable prior to any further processing to minimize resource consumption. In version 3.15, this approach was extended to lesser used alternate functions (i.e. per-label conversions and codec support). A workaround is available. Domain names cannot exceed 253 characters in length. If this length limit is enforced prior to passing the domain to the `idna.encode()` function, it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-15
Generated
2026-06-27
AI Q&A
2026-06-06
EPSS Evaluated
2026-06-25
NVD
CVE-2026-45409
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kjd internationalized_domain_names_in_applications to 3.15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1333 The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Internationalized Domain Names in Applications (IDNA) library for Python, specifically in versions prior to 3.15. It involves the processing of certain specially crafted inputs to the idna.encode() function that use the valid_contexto function before length rejection. For very large inputs, this processing can take a long time and consume significant resources.

The issue is similar to CVE-2024-3651, where the original fix was incomplete. Attackers can exploit this by providing arbitrarily large inputs that cause the function to consume excessive resources, potentially leading to a denial-of-service condition.

Starting with version 3.14, the library began rejecting long inputs early to reduce resource consumption, and this was extended in version 3.15 to additional functions. A practical workaround is to enforce the domain name length limit of 253 characters before passing input to idna.encode(), preventing excessive resource use.

Impact Analysis

This vulnerability can impact you by allowing an attacker to cause a denial-of-service (DoS) condition. By sending specially crafted, very large inputs to the idna.encode() function, the system may consume excessive processing time and resources.

This resource exhaustion can degrade system performance or cause the application to become unresponsive, potentially disrupting normal operations.

Mitigation Strategies

To mitigate this vulnerability, ensure that any domain name input passed to the idna.encode() function does not exceed 253 characters in length.

This length limit should be enforced prior to calling the function to prevent significant resource consumption and potential denial-of-service.

Additionally, upgrading to version 3.15 or later of the IDNA library is recommended, as these versions include improved input length checks and extended protections against this issue.

Detection Guidance

This vulnerability is triggered by specially crafted, arbitrarily large inputs passed to the idna.encode() function in Python's IDNA library. Detection involves monitoring for unusually large or malformed domain name inputs that exceed normal length limits (253 characters) before they are processed by the library.

A practical detection approach is to implement input validation to reject domain names longer than 253 characters prior to calling idna.encode().

Since no specific detection commands or network signatures are provided, you can use Python scripts to test for the vulnerability by attempting to encode very long domain names and observing resource consumption or delays.

Example Python snippet to test for the vulnerability:

  • import idna
  • try:
  • domain = '\u0660' * 10000 # very long input
  • idna.encode(domain)
  • except Exception as e:
  • print(f'Error or delay detected: {e}')

For network detection, monitor for unusually large DNS queries or domain names exceeding typical length limits, but no specific commands are provided in the context.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45409. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart