Quadratic Complexity DoS in IDNA Encoding
A vulnerability in the `idna` library, specifically in the `idna.encode()` function, allows for denial of service (DoS) through crafted input strings due to quadratic complexity. This issue affects version 3.6 and was patched in version 3.7. The vulnerability can significantly impact systems using `idna` for URL parsing, including those relying on `urllib3`.
Available publicly on Jul 07 2024 | Available with Premium on Apr 11 2024
Remediation Steps
- Update the
idnalibrary to version 3.7 or later. - Review and sanitize input strings before passing them to
idna.encode()to prevent exploitation. - Implement rate limiting or anomaly detection mechanisms to identify and mitigate potential DoS attacks.
- Monitor CPU usage and set up alerts for unusual spikes that could indicate an ongoing attack.
Patch Details
- Fixed Version: 3.7
- Patch Commit: https://github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38d
Want more out of Sightline?
Sightline offers even more for premium customers
Go Premium
We have - related security advisories that are available with Sightline Premium.