CVE-2026-45409 Overview
CVE-2026-45409 is a denial-of-service vulnerability in the Python idna library, which provides support for Internationalized Domain Names in Applications (IDNA) and Unicode IDNA Compatibility Processing. Versions prior to 3.15 invoke the valid_contexto function before enforcing length limits on input. Attackers can submit specially crafted payloads such as "\\u0660" * N or "\\u30fb" * N + "\\u6f22" to the idna.encode() function. For large values of N, processing consumes significant CPU resources. This is the same root issue as CVE-2024-3651, where the original remediation proved incomplete.
Critical Impact
Applications passing unvalidated user input to idna.encode() can be forced into prolonged processing, leading to resource exhaustion and denial-of-service conditions [CWE-1333].
Affected Products
- Python idna library versions prior to 3.14
- Python idna library alternate functions (per-label conversions, codec support) prior to 3.15
- Downstream applications using idna.encode() without preliminary input length validation
Discovery Timeline
- 2026-06-05 - CVE-2026-45409 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-45409
Vulnerability Analysis
The vulnerability is an algorithmic complexity issue classified under [CWE-1333] (Inefficient Regular Expression Complexity / inefficient processing). The idna library performs contextual validation on Unicode code points through the valid_contexto function before checking whether the overall input exceeds reasonable length thresholds. When an attacker supplies a payload of repeating Arabic-Indic digit zero (\\u0660) or Katakana middle dot (\\u30fb) characters followed by a Han ideograph (\\u6f22), the validation logic iterates expensively across each character. Processing time grows non-linearly with input size, allowing a single request to monopolize a CPU core.
Root Cause
The root cause is the order of operations within idna.encode(). The function performs expensive per-character contextual validation prior to rejecting oversized inputs. The 2024 remediation for CVE-2024-3651 addressed a similar pattern but did not eliminate all code paths that trigger costly processing before length enforcement. Lesser-used entry points, including per-label conversion helpers and codec support routines, remained vulnerable until version 3.15.
Attack Vector
The attack vector is network-accessible wherever an application passes externally supplied strings to idna.encode(). Common exposure points include web frameworks parsing the Host header, email systems validating sender domains, URL parsers, and TLS certificate processing pipelines. The attacker requires no authentication and no user interaction. A single HTTP request containing a crafted hostname can trigger the condition. The vulnerability impacts availability only; confidentiality and integrity are not affected.
The vulnerability is triggered by arbitrarily large inputs that do not occur in normal usage. See the GitHub Security Advisory for proof-of-concept payload structure.
Detection Methods for CVE-2026-45409
Indicators of Compromise
- Sustained high CPU utilization in Python processes invoking the idna module
- Inbound HTTP requests containing Host headers or URL components exceeding 253 characters
- Repeated requests containing Unicode code points U+0660 (Arabic-Indic digit zero) or U+30FB (Katakana middle dot) in domain-like fields
- Increased request latency or thread pool saturation in services that perform domain parsing
Detection Strategies
- Inspect application logs for unusually long hostname or email-domain values prior to library invocation
- Profile Python processes for stack frames inside idna/core.py consuming disproportionate CPU time
- Deploy WAF rules to flag URI components, headers, or form fields exceeding the RFC 1035 limit of 253 characters
- Correlate slow request traces with the presence of non-ASCII code points in domain fields
Monitoring Recommendations
- Enable per-request timeout instrumentation on endpoints that parse user-supplied domains
- Alert on CPU saturation events affecting individual worker processes rather than the whole host
- Track idna library version inventory across deployed Python environments and container images
- Monitor dependency manifests (requirements.txt, Pipfile.lock, poetry.lock) for pinned versions below 3.15
How to Mitigate CVE-2026-45409
Immediate Actions Required
- Upgrade the idna package to version 3.15 or later across all Python environments
- Audit application code for direct calls to idna.encode(), per-label conversions, and codec usage
- Enforce a 253-character maximum length on any domain string before passing it to idna
- Apply request timeouts and CPU quotas to worker processes handling untrusted input
Patch Information
Starting in version 3.14, idna.encode() rejects long inputs as soon as practicable, prior to any further processing, to minimize resource consumption. Version 3.15 extends this approach to lesser-used alternate functions, including per-label conversions and codec support. Refer to the GitHub Security Advisory GHSA-65pc-fj4g-8rjx for the full patch reference.
Workarounds
- Enforce the 253-character domain length limit at the application layer before invoking idna.encode()
- Wrap library calls in execution timeouts to bound worst-case processing duration
- Reject input containing non-printable or unusual Unicode ranges at the network edge
- Rate-limit endpoints that perform domain validation on untrusted input
# Upgrade idna to a patched version
pip install --upgrade 'idna>=3.15'
# Verify installed version
python -c "import idna; print(idna.__version__)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
