Mozilla Rust-Url Punycode Validation Vulnerability

A vulnerability exists in the `idna` crate used by `servo/rust-url` versions 2.5.0 prior to 2.5.2. The issue stems from improper validation of Punycode hostnames, allowing an attacker to craft a hostname that one part of a system may view as distinct while another part treats it as equivalent to a different hostname. This flaw can lead to privilege escalation in applications that rely on hostname comparisons for security decisions.

Impact

Exploitation of this vulnerability can cause incorrect URL parsing, allowing Punycode labels to be misinterpreted. This can lead to security issues in applications that make decisions based on URL origins, such as bypassing Cross-Site Request Forgery (CSRF) protections.

Reproduction

The vulnerability can be reproduced by using `rust-url` version 2.5.0 with the `idna` crate version 0.5.0 or earlier. Punycode hostnames that violate standard URL specifications can be parsed incorrectly, leading to equivalent representations of distinct URLs. This issue can be demonstrated in environments like Deno, where the `rust-url` library is used to parse URLs.

Remediation

Users should upgrade to `idna` version 1.0.3 or later, or to `url` version 2.5.4 or later, if `idna` is used as a dependency through the `url` crate. This vulnerability has been fixed in `idna` version 1.0.2 and `url` version 2.5.1.