The idna.ToUnicode function accepts Punycode-encoded labels (labels starting with "xn--") which decode into strings which contain only ASCII characters. For example, ToUnicode("xn--go-") returns ("go", nil) rather than an error.
An intended property of IDNA is that a Unicode domain name has exactly one valid representation as a DNS-compatible ASCII string. The Unicode name "go.dev" has the DNS name "go.dev", not "xn--go-.dev".
A program which relies on this property could be vulnerable to bypassing of security checks when accepting xn---masked names.
(This behavior arises from a specification bug in UTS 46, which inadvertently permitted all-ASCII xn-- labels. IDNA 2008 and RFC 5890 do not permit such labels. This bug was corrected in UTS 46 revision 33.)
This is CVE-2026-39821 and a PUBLIC track security issue.
The
idna.ToUnicodefunction accepts Punycode-encoded labels (labels starting with "xn--") which decode into strings which contain only ASCII characters. For example,ToUnicode("xn--go-")returns("go", nil)rather than an error.An intended property of IDNA is that a Unicode domain name has exactly one valid representation as a DNS-compatible ASCII string. The Unicode name "go.dev" has the DNS name "go.dev", not "xn--go-.dev".
A program which relies on this property could be vulnerable to bypassing of security checks when accepting
xn---masked names.(This behavior arises from a specification bug in UTS 46, which inadvertently permitted all-ASCII
xn--labels. IDNA 2008 and RFC 5890 do not permit such labels. This bug was corrected in UTS 46 revision 33.)This is CVE-2026-39821 and a PUBLIC track security issue.