Skip to content

chore(deps): update dependency idna to v3.15 [security]#35

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-idna-vulnerability
Open

chore(deps): update dependency idna to v3.15 [security]#35
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/pypi-idna-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate Bot commented Mar 10, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
idna (changelog) ==3.6==3.15 age confidence

Internationalized Domain Names in Applications (IDNA) vulnerable to denial of service from specially crafted inputs to idna.encode

CVE-2024-3651 / GHSA-jjg7-2v4v-x38h

More information

Details

Impact

A specially crafted argument to the idna.encode() function could consume significant resources. This may lead to a denial-of-service.

Patches

The function has been refined to reject such strings without the associated resource consumption in version 3.7.

Workarounds

Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the idna.encode() function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.

References

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix

CVE-2026-45409 / GHSA-65pc-fj4g-8rjx

More information

Details

This is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. Payloads such as "\u0660" * N or "\u30fb" * N + "\u6f22" utilize the valid_contexto function prior to length rejection, and for high values of N will take a long time to process.

Impact

A specially crafted argument to the idna.encode() function could consume significant resources. This may lead to a denial-of-service.

Patches

Starting in version 3.14, the function rejects long inputs as soon as practicable prior to any further processing to minimize resource consumption. In version 3.15, this approach was extended to lesser used alternate functions (i.e. per-label conversions and codec support).

Workarounds

Domain names cannot exceed 253 characters in length, if this length limit is enforced prior to passing the domain to the idna.encode() function it should no longer consume significant resources. This is triggered by arbitrarily large inputs that would not occur in normal usage, but may be passed to the library assuming there is no preliminary input validation by the higher-level application.

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

kjd/idna (idna)

v3.15

Compare Source

  • Enforce DNS-length cap on individual labels early in check_label,
    short-circuiting contextual-rule processing for oversized input
    while staying compatible with UTS 46 usage.
  • Tidy core helpers: hoist bidi category sets to module-level
    frozensets (avoiding per-codepoint list construction), simplify
    length checks, and reuse the shared _unicode_dots_re from
    idna.core in the codec module.
  • Use raise ... from err for proper exception chaining and
    switch internal string formatting to f-strings.
  • Allow flit_core 4.x in the build backend.
  • Expand the ruff lint set (flake8-bugbear, flake8-simplify,
    pyupgrade, perflint) and apply the surfaced fixes; pin lint CI
    to Python 3.14.
  • Add Dependabot configuration for GitHub Actions.
  • Convert README and HISTORY from reStructuredText to Markdown.
  • Reference CVE-2026-45409 for the 3.14 advisory in place of the
    initial GHSA identifier.

Thanks to Felix Yan, Stan Ulbrych, and metsw24-max for
contributions to this release.

v3.14

Compare Source

  • Removed opportunity to process long inputs into quadratic
    time by rejecting oversize inputs up-front. Closes a bypass
    of the CVE-2024-3651 mitigation. [CVE-2026-45409]

Thanks to Stan Ulbrych for reporting the issue.

v3.13

Compare Source

v3.12

Compare Source

v3.11

Compare Source

v3.10

Compare Source

v3.9

Compare Source

v3.8

Compare Source

What's Changed

  • Fix regression where IDNAError exception was not being produced for certain inputs.
  • Add support for Python 3.13, drop support for Python 3.5 as it is no longer testable.
  • Documentation improvements
  • Updates to package testing using Github actions

Thanks to Hugo van Kemenade for contributions to this release.

Full Changelog: kjd/idna@v3.7...v3.8

v3.7

Compare Source

What's Changed

  • Fix issue where specially crafted inputs to encode() could take exceptionally long amount of time to process. [CVE-2024-3651]

Thanks to Guido Vranken for reporting the issue.

Full Changelog: kjd/idna@v3.6...v3.7

Configuration

📅 Schedule: (in timezone Europe/Warsaw)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/pypi-idna-vulnerability branch from 5b640a1 to 4671306 Compare August 10, 2025 15:23
@renovate renovate Bot changed the title chore(deps): update dependency idna to v3.7 [security] chore(deps): update dependency idna to v3.7 [security] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate renovate Bot deleted the renovate/pypi-idna-vulnerability branch March 27, 2026 02:51
@renovate renovate Bot changed the title chore(deps): update dependency idna to v3.7 [security] - autoclosed chore(deps): update dependency idna to v3.7 [security] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate renovate Bot force-pushed the renovate/pypi-idna-vulnerability branch 2 times, most recently from 4671306 to 970f202 Compare March 30, 2026 19:05
@renovate renovate Bot changed the title chore(deps): update dependency idna to v3.7 [security] chore(deps): update dependency idna to v3.7 [security] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title chore(deps): update dependency idna to v3.7 [security] - autoclosed chore(deps): update dependency idna to v3.7 [security] Apr 27, 2026
@renovate renovate Bot reopened this Apr 27, 2026
@renovate renovate Bot force-pushed the renovate/pypi-idna-vulnerability branch 2 times, most recently from 970f202 to 44a5b31 Compare April 27, 2026 20:34
@renovate renovate Bot changed the title chore(deps): update dependency idna to v3.7 [security] chore(deps): update dependency idna to v3.15 [security] May 20, 2026
@renovate renovate Bot force-pushed the renovate/pypi-idna-vulnerability branch from 44a5b31 to 88178ae Compare May 20, 2026 02:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants