CVE-2026-45409: Internationalized Domain Names in Applications (IDNA): Specially crafted inputs to idna.encode() can bypass CVE-2024-3651 fix

May 19, 2026 (updated June 9, 2026)

This is the same issue as CVE-2024-3651, however the original remediation in 2024 was not a complete fix. Payloads such as "\u0660" * N or "\u30fb" * N + "\u6f22" utilize the valid_contexto function prior to length rejection, and for high values of N will take a long time to process.

References

github.com/advisories/GHSA-65pc-fj4g-8rjx
github.com/kjd/idna/security/advisories/GHSA-65pc-fj4g-8rjx
nvd.nist.gov/vuln/detail/CVE-2026-45409

Code Behaviors & Features

Detect and mitigate CVE-2026-45409 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →