CVE-2024-3651

Name of the Vulnerable Software and Affected Versions python-idna version 3.6

Description The issue arises from the idna.encode() function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This is triggered by a crafted input that causes the idna.encode() function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size. The vulnerability may allow a remote attacker to cause a denial of service.

Recommendations For version 3.6, consider updating to version 3.7, where the function has been refined to reject such strings without the associated resource consumption. As a temporary workaround, enforce a length limit of 253 characters on domain names prior to passing them to the idna.encode() function to prevent significant resource consumption.