Key Information Vulnerability ID: RUSTSEC-2024-0421 Report Date: December 9, 2024 Release Date: December 9, 2024 Affected Package: idna (crates.io) Vulnerability Type: Privilege Escalation Category: Privilege Escalation Keywords: #idna #punycode #same-origin #domain-name Aliases: CVE-2024-12224 Fixed Version: >=1.0.0 Description versions 0.5.0 and earlier accept Punycode labels that do not produce any non-ASCII output. This allows ASCII labels or empty root labels to be masked such that they appear unequal when not processed by IDNA or when processed with a different implementation, but become equal when processed by 0.5.0 or earlier. Specifically, and become equal after processing with 0.5.0 or earlier. Similarly, and become equal after processing with 0.5.0 or earlier. In applications using (but not within itself), when hostname comparison is part of a privilege check, and this behavior is combined with clients that parse such labels, it may lead to privilege escalation. These clients will incorrectly resolve the domain name instead of treating it as an error, thereby preventing DNS resolution/URL fetching, and allowing an attacker to introduce a DNS entry (and TLS certificate) for a masked name that becomes the target name after processing with 0.5.0 or earlier. Solution Upgrade to 1.0.3 or higher if directly depending on , or upgrade to 2.5.4 or higher if depending on through . (This issue was fixed in 1.0.0, but 1.0.3 or higher is recommended to avoid other issues.) When upgrading, read the information about alternative Unicode backends for . If using Rust 1.81 or earlier with SQLx 0.8.2 or earlier, read about the issues combining them with 2.5.4 and 1.0.3. Additional Information This issue stems from 0.5.0 and earlier strictly implementing UTS 46, which had this vulnerability at the time. The specification vulnerability has been fixed in UTS 46 Revision 33. Acknowledgments Thanks to kageshiron for recognizing the security implications of this behavior.