Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2024-12224

Summary
Assigner-mozilla
Assigner Org ID-f16b083a-5664-49f3-a51e-8d479e5ed7fe
Published At-30 May, 2025 | 01:16
Updated At-30 May, 2025 | 12:46
Rejected At-
Credits

idna accepts Punycode labels that do not produce any non-ASCII when decoded

Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:mozilla
Assigner Org ID:f16b083a-5664-49f3-a51e-8d479e5ed7fe
Published At:30 May, 2025 | 01:16
Updated At:30 May, 2025 | 12:46
Rejected At:
▼CVE Numbering Authority (CNA)
idna accepts Punycode labels that do not produce any non-ASCII when decoded

Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.

Affected Products
Vendor
servo
Product
rust-url
Collection URL
https://crates.io/crates/idna
Package Name
idna
Repo
https://github.com/servo/rust-url/
Default Status
unaffected
Versions
Affected
  • From 0 before 1.0.0 (rust)
Problem Types
TypeCWE IDDescription
CWECWE-1289CWE-1289
Type: CWE
CWE ID: CWE-1289
Description: CWE-1289
Metrics
VersionBase scoreBase severityVector
4.05.1MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations

In applications using idna (but not in idna itself) this may be able to lead to privilege escalation when host name comparison is part of a privilege check and the behavior is combined with a client that resolves domains with such labels instead of treating them as errors that preclude DNS resolution / URL fetching and with the attacker managing to introduce a DNS entry (and TLS certificate) for an xn---masked name that turns into the name of the target when processed by idna 0.5.0 or earlier.

Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://rustsec.org/advisories/RUSTSEC-2024-0421.html
vendor-advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1887898
issue-tracking
Hyperlink: https://rustsec.org/advisories/RUSTSEC-2024-0421.html
Resource:
vendor-advisory
Hyperlink: https://bugzilla.mozilla.org/show_bug.cgi?id=1887898
Resource:
issue-tracking
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://bugzilla.mozilla.org/show_bug.cgi?id=1887898
exploit
Hyperlink: https://bugzilla.mozilla.org/show_bug.cgi?id=1887898
Resource:
exploit
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@mozilla.org
Published At:30 May, 2025 | 02:15
Updated At:30 May, 2025 | 16:31

Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.1MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 4.0
Base score: 5.1
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-1289Secondarysecurity@mozilla.org
CWE ID: CWE-1289
Type: Secondary
Source: security@mozilla.org
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://bugzilla.mozilla.org/show_bug.cgi?id=1887898security@mozilla.org
N/A
https://rustsec.org/advisories/RUSTSEC-2024-0421.htmlsecurity@mozilla.org
N/A
https://bugzilla.mozilla.org/show_bug.cgi?id=1887898134c704f-9b21-4f2e-91b3-4a467353bcc0
N/A
Hyperlink: https://bugzilla.mozilla.org/show_bug.cgi?id=1887898
Source: security@mozilla.org
Resource: N/A
Hyperlink: https://rustsec.org/advisories/RUSTSEC-2024-0421.html
Source: security@mozilla.org
Resource: N/A
Hyperlink: https://bugzilla.mozilla.org/show_bug.cgi?id=1887898
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

0Records found
Details not found