CVE-2024-12224

Name of the Vulnerable Software and Affected Versions idna versions 0.5.0 and earlier url versions prior to 2.5.4

Description The issue is related to improper validation of unsafe equivalence in punycode by the idna crate from Servo rust-url. This allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname. In applications using idna, this may lead to privilege escalation when host name comparison is part of a privilege check. The issue resulted from idna 0.5.0 and earlier implementing the UTS 46 specification literally on this point and the specification having this bug.

Recommendations Upgrade to idna 1.0.3 or later, if depending on idna directly. Upgrade to url 2.5.4 or later, if depending on idna via url. When upgrading, please take a moment to read about alternative Unicode back ends for idna. If you are using Rust earlier than 1.81 in combination with SQLx 0.8.2 or earlier, please also read an issue about combining them with url 2.5.4 and idna 1.0.3.