CVE-2024-12224

Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://bugzilla.mozilla.org/show_bug.cgi?id=1887898	Exploit Issue Tracking
https://rustsec.org/advisories/RUSTSEC-2024-0421.html	Third Party Advisory
https://bugzilla.mozilla.org/show_bug.cgi?id=1887898	Exploit Issue Tracking

Configurations

Configuration 1 (hide)

cpe:2.3:a:servo:idna:*:*:*:*:*:rust:*:*

History

25 Jun 2025, 15:33

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 8.8
CPE		cpe:2.3:a:servo:idna::::::rust::*
CWE		CWE-352
References	~~() https://bugzilla.mozilla.org/show_bug.cgi?id=1887898 -~~	() https://bugzilla.mozilla.org/show_bug.cgi?id=1887898 - Exploit, Issue Tracking
References	~~() https://rustsec.org/advisories/RUSTSEC-2024-0421.html -~~	() https://rustsec.org/advisories/RUSTSEC-2024-0421.html - Third Party Advisory
First Time		Servo Servo idna

30 May 2025, 13:15

Type	Values Removed	Values Added
References	~~() https://bugzilla.mozilla.org/show_bug.cgi?id=1887898 -~~	() https://bugzilla.mozilla.org/show_bug.cgi?id=1887898 -
Summary		(es) La validación incorrecta de equivalencia insegura en punycode por parte del crate idna de Servo rust-url permite que un atacante cree un nombre de host punycode que una parte de un sistema podría tratar como distinto mientras que otra parte de ese sistema trataría como equivalente a otro nombre de host.

30 May 2025, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-30 02:15

Updated : 2025-06-25 15:33

NVD link : CVE-2024-12224

Mitre link : CVE-2024-12224

CVE.ORG link : CVE-2024-12224

JSON object : View

Products Affected

servo

idna

CWE

CWE-1289

Improper Validation of Unsafe Equivalence in Input

CWE-352

Cross-Site Request Forgery (CSRF)

{"id": "CVE-2024-12224", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security@mozilla.org", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 5.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-30T02:15:19.670", "references": [{"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1887898", "tags": ["Exploit", "Issue Tracking"], "source": "security@mozilla.org"}, {"url": "https://rustsec.org/advisories/RUSTSEC-2024-0421.html", "tags": ["Third Party Advisory"], "source": "security@mozilla.org"}, {"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1887898", "tags": ["Exploit", "Issue Tracking"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security@mozilla.org", "description": [{"lang": "en", "value": "CWE-1289"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-352"}]}], "descriptions": [{"lang": "en", "value": "Improper Validation of Unsafe Equivalence in punycode by the idna crate from Servo rust-url allows an attacker to create a punycode hostname that one part of a system might treat as distinct while another part of that system would treat as equivalent to another hostname."}, {"lang": "es", "value": "La validaci\u00f3n incorrecta de equivalencia insegura en punycode por parte del crate idna de Servo rust-url permite que un atacante cree un nombre de host punycode que una parte de un sistema podr\u00eda tratar como distinto mientras que otra parte de ese sistema tratar\u00eda como equivalente a otro nombre de host."}], "lastModified": "2025-06-25T15:33:17.667", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:servo:idna:*:*:*:*:*:rust:*:*", "vulnerable": true, "matchCriteriaId": "2A9457A0-7004-4D5E-8C78-07A9BE0E13DA", "versionEndExcluding": "1.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security@mozilla.org"}