Medium

idna

Quadratic Complexity DoS in IDNA Encoding

A vulnerability in the `idna` library, specifically in the `idna.encode()` function, allows for denial of service (DoS) through crafted input strings due to quadratic complexity. This issue affects version 3.6 and was patched in version 3.7. The vulnerability can significantly impact systems using `idna` for URL parsing, including those relying on `urllib3`.

Available publicly on Jul 07 2024

6.2

CVSS:

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Credit:

gvranken
Threat Overview

The vulnerability arises from the way idna.encode() processes certain input strings. By crafting a specific string that exploits the quadratic complexity of the encoding process, an attacker can cause the function to consume excessive computational resources. This is particularly problematic in contexts where idna is used for parsing URLs, as is common in many web and network applications. The issue is exacerbated by the fact that relatively small malicious payloads can lead to disproportionately large computational loads, making it an efficient vector for DoS attacks.

Attack Scenario

An attacker crafts a malicious URL containing a specific sequence of characters designed to exploit the quadratic complexity of the idna.encode() function. This URL is then sent to a server or service that uses idna for URL parsing, such as through an API endpoint that accepts URLs for processing. The server attempts to parse the URL using idna.encode(), resulting in excessive CPU usage and potentially leading to service degradation or unavailability.

Who is affected

The vulnerability primarily affects servers and services that use the idna library for URL parsing. This includes a wide range of web applications, APIs, and network services that rely on idna directly or indirectly through dependencies such as urllib3. End-users and organizations using these services may experience reduced availability or increased compute costs due to the exploitation of this vulnerability.

Technical Report
Want more out of Sightline?

Sightline offers even more for premium customers

Go Premium

We have - related security advisories that are available with Sightline Premium.