Denial of Service via Quadratic Complexity in kjd/idna
Description
A vulnerability was identified in the kjd/idna library, specifically within the idna.encode() function, affecting version 3.6. The issue arises from the function's handling of crafted input strings, which can lead to quadratic complexity and consequently, a denial of service condition. This vulnerability is triggered by a crafted input that causes the idna.encode() function to process the input with considerable computational load, significantly increasing the processing time in a quadratic manner relative to the input size.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2024-3651 is a denial-of-service vulnerability in kjd/idna library 3.6 caused by quadratic complexity in idna.encode() when processing crafted input strings.
Vulnerability
Overview
CVE-2024-3651 describes a denial-of-service (DoS) weakness in the kjd/idna library, specifically in the idna.encode() function, affecting version 3.6 [1]. The root cause is an algorithmic inefficiency: when the function is fed a specially crafted input string, its execution time increases quadratically with the length of the input [1]. This behavior is a classic algorithmic complexity vulnerability that can be exploited to consume excessive CPU resources.
Exploitation
Prerequisites
An attacker can trigger the vulnerability by sending a malformed domain name or other input that is passed to idna.encode() without any special privileges or network position [1][3]. No authentication is required, and the attack can be mounted remotely if the library is used in a service that processes user-supplied domain names. The idna library is widely used as a drop-in replacement for Python's standard encodings.idna module, as noted in its GitHub repository [2].
Impact
Successful exploitation leads to a denial-of-service condition. An attacker can cause the affected application to consume significantly more CPU time than normal, potentially making it unresponsive or causing resource exhaustion [1]. This could impact any service that process external input through idna.encode(), including web servers, email handlers, or any Python application relying on this library for internationalized domain name conversion.
Mitigation
Status
The vulnerability is present only in version 3.6 of the idna library. The PyPI advisory database marks it as a confirmed issue [3]. Users should upgrade to a patched version (3.7 or later) as soon as possible; at the time of publication, no workaround other than updating has been documented [1][2]. Organizations using Fedora Linux should watch for updated packages via the official channels [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
idnaPyPI | < 3.7 | 3.7 |
Affected products
1Patches
13 files changed · +10 −2
HISTORY.rst+8 −0 modified@@ -3,6 +3,14 @@ History ------- +3.7 (2024-04-11) +++++++++++++++++ + +- Fix issue where specially crafted inputs to encode() could + take exceptionally long amount of time to process. [CVE-2024-3651] + +Thanks to Guido Vranken for reporting the issue. + 3.6 (2023-11-25) ++++++++++++++++
idna/package_data.py+1 −1 modified@@ -1,2 +1,2 @@ -__version__ = '3.6' +__version__ = '3.7'
LICENSE.md+1 −1 modified@@ -1,6 +1,6 @@ BSD 3-Clause License -Copyright (c) 2013-2023, Kim Davies and contributors. +Copyright (c) 2013-2024, Kim Davies and contributors. All rights reserved. Redistribution and use in source and binary forms, with or without
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
11- github.com/advisories/GHSA-jjg7-2v4v-x38hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-3651ghsaADVISORY
- github.com/kjd/idna/commit/1d365e17e10d72d0b7876316fc7b9ca0eebdd38dghsaWEB
- github.com/kjd/idna/security/advisories/GHSA-jjg7-2v4v-x38hghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/idna/PYSEC-2024-60.yamlghsaWEB
- huntr.com/bounties/93d78d07-d791-4b39-a845-cbfabc44aadbghsaWEB
- lists.debian.org/debian-lts-announce/2024/05/msg00006.htmlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4YQUPYH3SVZ5GFF2CDQ55FCM575AZTF2ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/F2S5E23N6E52S46KGNYTDFB75LOC4N4DghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/S5IDLLD2IKSIVRBSLB34WTSYGLMWUFWFghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ULSC7HBJKXB3BZV367WM5BR6DFEC4Z43ghsaWEB
News mentions
0No linked articles in our index yet.