CVE-2024-12224: 
Rust vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-12224) was discovered in the idna Rust crate versions 0.5.0 and earlier. The vulnerability allows attackers to create Punycode hostnames that one part of a system might treat as distinct while another part would treat as equivalent. The issue was discovered and reported on December 9, 2024, affecting applications that use the idna crate for URL parsing and hostname validation (RustSec Advisory).

The vulnerability stems from improper handling of Punycode labels that do not produce non-ASCII output when decoded. The issue allows ASCII labels or empty root labels to be masked, causing domains to appear unequal without IDNA processing but equal when processed with affected versions. For example, 'example.org' and 'xn--example-.org' become equal after processing, as do 'example.org.xn--' and 'example.org.' This resulted from idna 0.5.0 and earlier implementing the UTS 46 specification literally, which contained this bug (RustSec Advisory, Mozilla Bug).

In applications using the affected versions, this vulnerability could lead to privilege escalation when hostname comparison is part of a privilege check. The impact is particularly significant when combined with a client that resolves domains with such labels instead of treating them as errors, and when an attacker can introduce a DNS entry and TLS certificate for an xn---masked name (RustSec Advisory).

Users are advised to upgrade to idna 1.0.3 or later if depending on idna directly, or to url 2.5.4 or later if depending on idna via url. While the issue was fixed in idna 1.0.0, versions earlier than 1.0.3 are not recommended for other reasons. The specification bug has been fixed in revision 33 of UTS 46 (RustSec Advisory).