CVE-2026-45409
Internationalized Domain Name Processing Denial of Service in Python IDNA
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| python | idna | to 3.15 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Internationalized Domain Names in Applications (IDNA) library for Python, specifically in versions prior to 3.15. It involves the processing of certain specially crafted inputs to the idna.encode() function that use the valid_contexto function before length rejection. For very large inputs, this processing can take a long time and consume significant resources.
The issue is similar to CVE-2024-3651, where the original fix was incomplete. Attackers can exploit this by providing arbitrarily large inputs that cause the function to consume excessive resources, potentially leading to a denial-of-service condition.
Starting with version 3.14, the library began rejecting long inputs early to reduce resource consumption, and this was extended in version 3.15 to additional functions. A practical workaround is to enforce the domain name length limit of 253 characters before passing input to idna.encode(), preventing excessive resource use.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to cause a denial-of-service (DoS) condition. By sending specially crafted, very large inputs to the idna.encode() function, the system may consume excessive processing time and resources.
This resource exhaustion can degrade system performance or cause the application to become unresponsive, potentially disrupting normal operations.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, ensure that any domain name input passed to the idna.encode() function does not exceed 253 characters in length.
This length limit should be enforced prior to calling the function to prevent significant resource consumption and potential denial-of-service.
Additionally, upgrading to version 3.15 or later of the IDNA library is recommended, as these versions include improved input length checks and extended protections against this issue.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability is triggered by specially crafted, arbitrarily large inputs passed to the idna.encode() function in Python's IDNA library. Detection involves monitoring for unusually large or malformed domain name inputs that exceed normal length limits (253 characters) before they are processed by the library.
A practical detection approach is to implement input validation to reject domain names longer than 253 characters prior to calling idna.encode().
Since no specific detection commands or network signatures are provided, you can use Python scripts to test for the vulnerability by attempting to encode very long domain names and observing resource consumption or delays.
Example Python snippet to test for the vulnerability:
- import idna
- try:
- domain = '\u0660' * 10000 # very long input
- idna.encode(domain)
- except Exception as e:
- print(f'Error or delay detected: {e}')
For network detection, monitor for unusually large DNS queries or domain names exceeding typical length limits, but no specific commands are provided in the context.