CVE-2021-42694

Name of the Vulnerable Software and Affected Versions Unicode Specification versions through 14.0

Description An issue was discovered in the character definitions of the Unicode Specification. The specification allows an adversary to produce source code identifiers, such as function names, using homoglyphs that render visually identical to a target identifier. Adversaries can leverage this to inject code via adversarial identifier definitions in upstream software dependencies invoked deceptively in downstream software. This issue can affect applications that implement support for The Unicode Standard, allowing an adversary to produce source code identifiers using homoglyph characters that render visually identical to but are distinct from a target identifier.

Recommendations For Unicode Specification versions through 14.0, consider implementing the mitigations provided in Unicode Technical Standard #39, Unicode Security Mechanisms, to address the issue of homoglyph characters being used to inject adversarial identifier definitions. As a temporary workaround, developers can review their code to detect and prevent the use of homoglyph characters in source code identifiers. Additionally, restricting the use of international text that can be affected by this issue may help minimize the risk of exploitation until a more permanent solution is implemented. At the moment, there is no information about a newer version that contains a fix for this vulnerability.