CVE-2024-12224
- Source
- https://cve.org/CVERecord?id=CVE-2024-12224
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-12224.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2024-12224
- Aliases
- Downstream
- Related
- Published
- 2025-05-30T01:16:47.829Z
- Modified
- 2026-05-28T03:55:03.172825553Z
- Severity
-
- 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N CVSS Calculator
- Summary
- idna accepts Punycode labels that do not produce any non-ASCII when decoded
- Details
-
Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/12xxx/CVE-2024-12224.json", "cwe_ids": [ "CWE-1289" ], "cna_assigner": "mozilla" }- References
-
- https://crates.io/crates/idna
- https://github.com/servo/rust-url/
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/12xxx/CVE-2024-12224.json
- https://nvd.nist.gov/vuln/detail/CVE-2024-12224
- https://rustsec.org/advisories/RUSTSEC-2024-0421.html
- https://bugzilla.mozilla.org/show_bug.cgi?id=1887898
Affected packages
Git / github.com/servo/rust-url
Affected versions
v0.*
v0.2.10
v0.2.11
v0.2.12
v0.2.13
v0.2.14
v0.2.15
v0.2.16
v0.2.17
v0.2.18
v0.2.19
v0.2.21
v0.2.22
v0.2.23
v0.2.24
v0.2.25
v0.2.26
v0.2.27
v0.2.28
v0.2.29
v0.2.30
v0.2.31
v0.2.32
v0.2.33
v0.2.34
v0.2.35
v0.2.36
v0.2.37
v0.2.38
v0.2.4
v0.2.5
v0.2.6
v0.2.7
v0.2.8
v0.2.9
v0.3.0
v0.4.0
v0.5.0
v0.5.3
v0.5.4
v0.5.5
v0.5.7
v0.5.9