CVE-2024-3651 Overview
A vulnerability was identified in the kjd/idna library, specifically within the idna.encode() function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the idna.encode() function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.
Critical Impact
This algorithmic complexity vulnerability enables remote attackers to cause denial of service by sending specially crafted domain name inputs that trigger excessive CPU consumption during IDNA encoding operations.
Affected Products
- kjd internationalized_domain_names_in_applications version 3.6
Discovery Timeline
- 2024-07-07 - CVE-2024-3651 published to NVD
- 2025-11-04 - Last updated in NVD database
Technical Details for CVE-2024-3651
Vulnerability Analysis
The vulnerability exists in the idna.encode() function of the kjd/idna Python library, which is widely used for processing Internationalized Domain Names in Applications (IDNA). When the function receives specially crafted input strings, it exhibits quadratic time complexity (O(n²)) behavior, where processing time increases disproportionately with input size.
The idna library is a critical dependency in the Python ecosystem, used by popular packages including requests, urllib3, and other HTTP client libraries. This means applications that accept user-controlled domain names or URLs as input could be vulnerable to denial of service attacks if they process untrusted data through the vulnerable idna.encode() function.
The vulnerability is classified under CWE-1333 (Inefficient Regular Expression Complexity), indicating the root cause involves algorithmic inefficiency in string processing operations.
Root Cause
The root cause of this vulnerability is inefficient algorithmic implementation within the idna.encode() function. When processing certain input patterns, the function's internal operations scale quadratically rather than linearly with input size. This algorithmic complexity issue allows an attacker to craft inputs that consume disproportionate CPU resources, leading to service degradation or complete denial of service.
Attack Vector
The attack can be executed remotely over a network without requiring authentication or user interaction. An attacker can exploit this vulnerability by:
- Sending HTTP requests with maliciously crafted domain names in URLs
- Providing crafted internationalized domain names to any application component that processes them through the idna library
- Targeting web applications, APIs, or services that accept user-supplied domain names or URLs
The following patch from version 3.7 addresses this vulnerability:
History
-------
+3.7 (2024-04-11)
+++++++++++++++++
+
+- Fix issue where specially crafted inputs to encode() could
+ take exceptionally long amount of time to process. [CVE-2024-3651]
+
+Thanks to Guido Vranken for reporting the issue.
+
3.6 (2023-11-25)
++++++++++++++++
Source: GitHub Commit
Detection Methods for CVE-2024-3651
Indicators of Compromise
- Abnormally high CPU utilization on systems processing domain name inputs
- Increased response times or timeouts in services handling URL or domain name processing
- Presence of idna library version 3.6 or earlier in application dependencies
- Log entries showing slow request processing for endpoints accepting domain names or URLs
Detection Strategies
- Audit Python application dependencies using pip list or pip freeze to identify vulnerable idna versions (< 3.7)
- Implement application performance monitoring to detect unusual CPU spikes during domain name processing
- Use software composition analysis (SCA) tools to scan for CVE-2024-3651 in your dependency tree
- Monitor for requests containing unusually long or repetitive domain name patterns
Monitoring Recommendations
- Configure alerts for CPU utilization thresholds on services that process user-supplied URLs or domain names
- Implement request timeout monitoring to detect potential exploitation attempts
- Deploy real-time dependency scanning in CI/CD pipelines to prevent deployment of vulnerable versions
- Enable logging for domain name encoding operations to identify anomalous input patterns
How to Mitigate CVE-2024-3651
Immediate Actions Required
- Upgrade the idna library to version 3.7 or later immediately using pip install --upgrade idna
- Audit all Python applications and their dependencies to identify instances of vulnerable idna versions
- Implement input validation to limit the length and complexity of domain name inputs before processing
- Consider implementing request rate limiting on endpoints that accept domain name or URL inputs
Patch Information
The vulnerability has been fixed in idna version 3.7, released on 2024-04-11. The fix addresses the algorithmic complexity issue in the idna.encode() function. Security researcher Guido Vranken was credited with reporting this vulnerability.
The version update is reflected in the following patch:
-__version__ = '3.6'
+__version__ = '3.7'
Source: GitHub Commit
For additional details, refer to the Huntr Bug Bounty Report. Distribution-specific patches are available through Debian LTS and Fedora package repositories.
Workarounds
- Implement strict input length limits on domain names before passing them to idna.encode()
- Add request timeout configurations to prevent long-running encoding operations from consuming resources
- Deploy a web application firewall (WAF) rule to filter requests with excessively long domain name parameters
- Consider sandboxing or resource-limiting processes that handle untrusted domain name inputs
# Upgrade idna library to patched version
pip install --upgrade idna>=3.7
# Verify installed version
pip show idna | grep Version
# Check for vulnerable dependencies in your project
pip-audit --fix
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
