diff --git a/deny.toml b/deny.toml
index 9ed9d3b5c6d9..3172b7369a85 100644
--- a/deny.toml
+++ b/deny.toml
@@ -28,6 +28,12 @@ yanked = "deny"
 ignore = [
     # Ignored audit issues. This list should be kept short, and effort should be
     # put into removing items from the list.
+
+    # RUSTSEC-2024-0421 - `idna` accepts Punycode labels that do not produce any non-ASCII when decoded
+    # `hickory-proto 0.24.1` uses `idna 0.4`
+    # `url 2.5` uses `idna 0.5.0`
+    # `shadowsocks 1.20.3` uses `url 2.5`
+    "RUSTSEC-2024-0421",
 ]
 
 
diff --git a/osv-scanner.toml b/osv-scanner.toml
index 7df9f816d244..1e2386375487 100644
--- a/osv-scanner.toml
+++ b/osv-scanner.toml
@@ -67,3 +67,16 @@
 # effectiveUntil = 2024-11-02
 # reason = "The XML payload is generated by Apple tooling which we trust"
 # ```
+
+# idna accepts Punycode labels that do not produce any non-ASCII when decoded
+[[IgnoredVulns]]
+id = "RUSTSEC-2024-0421"
+ignoreUntil = 2025-03-09
+reason = """
+There is a privelege escalation in the `idna` crate, which affects consumers that accept arbitrary domain names
+as input, which we do not. A fix has been released in version `1.0.0`, and currently our dependencies `hickory-proto`
+and `shadowsocks` prevent us from upgrading to a safe version of `idna`. New releases of these depencies which are not
+vulnerable to RUSTSEC-2024-0421 is tracked in the following GitHub issues:
+- https://github.com/hickory-dns/hickory-dns/issues/2206
+- https://github.com/shadowsocks/shadowsocks-rust/issues/1775
+"""
diff --git a/test/deny.toml b/test/deny.toml
index 4bb1b7bc738a..743c19f908a7 100644
--- a/test/deny.toml
+++ b/test/deny.toml
@@ -24,6 +24,11 @@ ignore = [
     # RUSTSEC-2024-0384 - `instant` is unmaintained.
     # `ssh2 0.9.4` uses `instant`.
     "RUSTSEC-2024-0384",
+    # RUSTSEC-2024-0421 - `idna` accepts Punycode labels that do not produce any non-ASCII when decoded
+    # `hickory-proto 0.24.1` uses `idna 0.4`
+    # `url 2.5` uses `idna 0.5.0`
+    # `shadowsocks 1.20.3` uses `url 2.5`
+    "RUSTSEC-2024-0421",
 ]
 
 
diff --git a/test/osv-scanner.toml b/test/osv-scanner.toml
index 7c5a285d804b..f9cb8a38e7c1 100644
--- a/test/osv-scanner.toml
+++ b/test/osv-scanner.toml
@@ -12,3 +12,16 @@ a fork instead of depending on `instant`. In our tree it is `ssh2` that currentl
 version of `parking_lot`, preventing us from upgrading to a fixed version. This ignore can be removed when
 https://github.com/alexcrichton/ssh2-rs/issues/338 is resolved.
 """
+
+# idna accepts Punycode labels that do not produce any non-ASCII when decoded
+[[IgnoredVulns]]
+id = "RUSTSEC-2024-0421"
+ignoreUntil = 2025-03-09
+reason = """
+There is a privelege escalation in the `idna` crate, which affects consumers that accept arbitrary domain names
+as input, which we do not. A fix has been released in version `1.0.0`, and currently our dependencies `hickory-proto`
+and `shadowsocks` prevent us from upgrading to a safe version of `idna`. New releases of these depencies which are not
+vulnerable to RUSTSEC-2024-0421 is tracked in the following GitHub issues:
+- https://github.com/hickory-dns/hickory-dns/issues/2206
+- https://github.com/shadowsocks/shadowsocks-rust/issues/1775
+"""