CVE-2024-12224 MEDIUM

CVE-2024-12224: idna accepts Punycode labels that do not produce any non-ASCII when decoded

Vendor Servo
Product rust-url
Weakness CWE-1289
Published May 30, 2025
Last update May 30, 2025

CVSS base score

5.1/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N

What the vulnerability does

01Description

Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.

Key dates

02Disclosure timeline

May 30, 2025 CVE published
May 30, 2025 Record updated