CVE-2021-42694

Vulnerability

The Unicode Specification through version 14.0 contains character definitions that permit the creation of homoglyphs — characters that render visually identical to a target identifier but are semantically distinct [1]. This issue affects all software relying on Unicode identifiers unless mitigations are applied. An adversary can define function or variable names using homoglyph characters that appear exactly like legitimate identifiers in source code, but are processed differently by compilers or interpreters [2][4]. In particular, Unicode control characters such as Right-to-Left Override (U+202E) can be used to reorder tokens visually, making commented-out code appear executable, as demonstrated in JavaScript examples [4].

Exploitation

To exploit this vulnerability, an attacker needs the ability to contribute or modify source code in an upstream software dependency, often via a public repository or package manager [1]. The attacker inserts homoglyph identifiers into the dependency, taking advantage of the fact that human code reviewers see the same visual representation as the legitimate identifier [2][4]. No special network position or authentication is required beyond standard contribution access; the attack vector relies on social deception during code review. The attacker may also use Unicode control characters to visually rearrange lines of code, making comments appear active or altering control flow [4].

Impact

Successful exploitation can lead to arbitrary code injection in downstream software that includes the compromised dependency. The attacker may achieve full application compromise depending on the context of the injected code [1][4]. The impact spans all aspects of confidentiality, integrity, and availability, as injected code could steal credentials, modify data, or enable remote code execution. The attack exploits trust in human-readable identifiers and is particularly dangerous because the deceptive code appears legitimate in most development environments [2][4].

Mitigation

The Unicode Consortium provides guidance in Unicode Technical Standard #39 (UTS #39) and Unicode Technical Report #36 [1]. Recommended mitigations include using identifier security profiles that restrict allowed Unicode characters, performing normalization of identifiers (e.g., NFKC), and implementing visual spoofing detection mechanisms. Developers should use tools that flag homoglyph characters and control characters during code review and CI/CD pipelines. As of Unicode 14.0.0 (September 2021), the underlying character definitions enabling homoglyphs remain present, but software vendors must apply the recommended filters [3]. No single patch exists for the Unicode standard itself; individual applications and build systems must enforce proper identifier validation.