CVE-2024-3651

Aliases:GHSA-jjg7-2v4v-x38hPYSEC-2024-60
Advisory lineage Upstream: 0 Downstream: 22
Modified
Published: 07 Jul 2024, 17:22
Last modified:04 Nov 2025, 22:06

Vulnerability Summary

Overall Risk (default)
medium
40/100
CVSS Score
7.5 HIGH
v3.1 (nvd)
EPSS Score
0.69% LOW
1% probability +0.02%
KEV
Not listed
Ransomware
No reports
Public exploits
1 found
Dark Web
Not detected

Timeline

07 Jul 2024, 17:22
Published
Vulnerability first disclosed
04 Nov 2025, 22:06
Last Modified
Vulnerability information updated

Description

A vulnerability was identified in the kjd/idna library, specifically within the `idna.encode()` function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the `idna.encode()` function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.

CVSS Metrics

  • v4.0MEDIUMScore: 6.9CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
  • v3.1HIGHScore: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • v3.1MEDIUMScore: 6.2CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • v3.0MEDIUMScore: 6.2CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

EPSS Trends

Current EPSS score: 0.69% Percentile: 72%

Techniques & Countermeasures

  • CWE-1333Inefficient Regular Expression Complexity

    The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.

Affected Systems

  • kjdinternationalized_domain_names_in_applications

    ≥ 0.2, < 3.7

  • kjdkjd/idna

    ≥ unspecified, < 3.7

  • PyPIidna

    < 1d365e17e10d72d0b7876316fc7b9ca0eebdd38d | ≥ 0.1, < 3.7 | < 3.7

References (15)