rust-url: Improper validation of unsafe equivalence in punycode in the idna crate (servo rust-url) (CVE-2024-12224) #shorts
Summary
Hello and welcome to the Rust Security Spotlight. In today’s episode we’re digging into CVE-2024-12224, a punycode validation flaw in the idna crate used by Servo’s rust-url library. Disclosed on May 30, 2025, this issue can allow an attacker to craft domain names that are treated as distinct in one part of a system but equivalent in another, opening the door to phishing, routing anomalies, or cache confusion.
Product details
The vulnerability resides in the idna crate integrated within Servo’s rust-url versions prior to 1.0.0. This library is a core dependency for many Rust projects, including Mozilla’s own URL parsing code and third-party tools like sccache, rav1e, and rust-keylime. OpenSUSE, SUSE Linux and other distributions have already released security advisories and package updates to remediate the issue in those affected modules.
Vulnerability type summary
CVE-2024-12224 is classified under CWE-1289: Improper Validation of Unsafe Equivalence. The root cause is a mismatch in how different subsystems normalize punycode hostnames, leading to unsafe equivalence—two strings that look different but resolve to the same identity, or vice versa.
Details of the vulnerability
When rust-url’s idna crate processes a domain label, it can accept maliciously crafted punycode that bypasses equivalence checks. One component might consider the host ‘xn--exmple-2za[.]com’ unique, while another sees it as ‘example.com.’ An attacker could exploit this by setting up a deceptive hostname and tricking users or systems into data leaks, unauthorized redirects, or cache poisoning. The patch enforces a consistent validation and normalization step so that every part of the system treats the punycode label identically.
Conclusion
To stay safe, upgrade to rust-url 1.0.0 or later, and ensure any dependent projects—such as sccache, rav1e, or rust-keylime—are pulled in with updated idna crates. Administrators on openSUSE or SUSE Linux should apply the published security advisories without delay. That’s all for this episode of the Rust Security Spotlight—thanks for tuning in, and remember to keep your dependencies up to date!
Watch the full video on YouTube: CVE-2024-12224
Remediation and exploitation details
This chain involves the following actors
- Attacker: Crafts malicious punycode domains to perform homograph attacks
- Developer: Maintains applications that use the servo rust-url crate
This following systems are involved
- servo rust-url crate (Parses and validates URLs, including punycode hostnames): Performs Internationalized Domain Name handling
- Client application (Consumes user input or remote URLs): Invokes rust-url APIs for hostname validation and security checks
- DNS infrastructure (Resolves hostnames to IP addresses): Maps attacker-controlled punycode domain to a server under attacker control
Attack entry point
- Punycode Hostname Input: Attacker-supplied punycode domain passed into the idna processing functions of rust-url
Remediation actions
Exploitation actions
Punycode homograph creation
- xn--googl-0ra.com
Domain registration and DNS configuration
- xn--googl-0ra.com → 203.0.113.45
Hostname parsing without proper unsafe equivalence checks
- let u = Url::parse("http://xn--googl-0ra.com").unwrap();
Mismatched equivalence handling causes one component to see a malicious host as distinct and another as a legitimate host
- TLS check against “google.com” succeeds while resource isolation logic treats it as “xn--googl-0ra.com”
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://rustsec.org/advisories/RUSTSEC-2024-0421.html
- https://bugzilla.mozilla.org/show_bug.cgi?id=1887898
- [2025-08-01] openSUSE releases a security advisory for sccache addressing CVE-2024-12224.
- [2025-08-01] SUSE Linux releases a moderate security advisory for rav1e regarding CVE-2024-12224.
- [2025-07-25] SUSE addresses a moderate vulnerability in rust-keylime identified as CVE-2024-12224.