PT-2026-42782 · Pypi+3 · Idna+3
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
idna (affected versions not specified)
Description
The
ToASCII() and ToUnicode() functions incorrectly accept Punycode-encoded labels that decode to an ASCII-only label. For instance, ToUnicode("xn--example-.com") returns "example.com" instead of an error. This behavior can lead to privilege escalation in programs using the idna package; a program performing privilege checks on an ASCII hostname might reject "example.com" but permit "xn--example-.com", and subsequently granting access to "example.com" after converting the hostname to Unicode.Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Exploit
LPE
DoS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Linuxmint
Rocky Linux
Ubuntu
Idna