{"id":"CVE-2024-12224","summary":"idna accepts Punycode labels that do not produce any non-ASCII when decoded","details":"Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.","aliases":["GHSA-h97m-ww89-6jmq","RUSTSEC-2024-0421"],"modified":"2026-05-28T03:55:03.172825553Z","published":"2025-05-30T01:16:47.829Z","related":["CGA-vqcf-23pj-f75j","SUSE-RU-2025:02203-1","SUSE-RU-2025:02204-1","SUSE-SU-2025:02586-1","SUSE-SU-2025:02587-1","SUSE-SU-2025:02768-1","SUSE-SU-2025:02809-1","SUSE-SU-2025:02810-1","SUSE-SU-2025:02811-1","SUSE-SU-2025:03298-1","SUSE-SU-2025:03306-1","SUSE-SU-2025:03307-1","SUSE-SU-2025:03445-1","SUSE-SU-2025:20491-1","SUSE-SU-2025:20716-1","SUSE-SU-2025:20783-1","SUSE-SU-2025:20858-1","SUSE-SU-2025:3783-1","SUSE-SU-2025:3784-1","SUSE-SU-2025:3785-1","SUSE-SU-2025:3786-1","SUSE-SU-2025:4411-1","SUSE-SU-2026:0243-1","SUSE-SU-2026:0620-1","SUSE-SU-2026:20096-1","SUSE-SU-2026:20755-1","SUSE-SU-2026:20910-1","openSUSE-SU-2025:15201-1","openSUSE-SU-2025:15202-1","openSUSE-SU-2025:15294-1","openSUSE-SU-2025:15353-1","openSUSE-SU-2025:15550-1","openSUSE-SU-2025:15551-1","openSUSE-SU-2025:15588-1","openSUSE-SU-2025:15656-1","openSUSE-SU-2026:20060-1","openSUSE-SU-2026:20396-1"],"database_specific":{"cna_assigner":"mozilla","cwe_ids":["CWE-1289"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/12xxx/CVE-2024-12224.json"},"references":[{"type":"WEB","url":"https://crates.io/crates/idna"},{"type":"WEB","url":"https://github.com/servo/rust-url/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/12xxx/CVE-2024-12224.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-12224"},{"type":"ADVISORY","url":"https://rustsec.org/advisories/RUSTSEC-2024-0421.html"},{"type":"REPORT","url":"https://bugzilla.mozilla.org/show_bug.cgi?id=1887898"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/servo/rust-url","events":[{"introduced":"0"},{"fixed":"d5a84c928603ef84fff8a3e0f33b4e119f1f01a2"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"1.0.0"}],"source":"AFFECTED_FIELD"}}],"versions":["v0.5.9","v0.5.7","v0.5.5","v0.5.4","v0.5.3","v0.5.0","v0.4.0","v0.2.38","v0.3.0","v0.2.37","v0.2.36","v0.2.35","v0.2.34","v0.2.33","v0.2.32","v0.2.31","v0.2.30","v0.2.29","v0.2.28","v0.2.27","v0.2.26","v0.2.25","v0.2.24","v0.2.23","v0.2.22","v0.2.21","v0.2.19","v0.2.18","v0.2.17","v0.2.16","v0.2.15","v0.2.14","v0.2.13","v0.2.12","v0.2.11","v0.2.10","v0.2.9","v0.2.8","v0.2.7","v0.2.6","v0.2.5","v0.2.4"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-12224.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"}]}