CVE-2026-45409

Name of the Vulnerable Software and Affected Versions idna versions prior to 3.14

Description A specially crafted argument passed to the idna.encode() function can consume significant system resources, potentially leading to a denial-of-service. This occurs because payloads containing specific characters, such as "u0660" * N or "u30fb" * N + "u6f22", utilize the valid contexto() function before length rejection occurs. For high values of N, the processing time increases significantly.

Recommendations Update to version 3.14 or later to ensure long inputs are rejected prior to processing. As a temporary workaround, enforce a domain name length limit of 253 characters before passing the input to the idna.encode() function.