Listen to this Post
The vulnerability exists within the `phonenumbers.Parse()` function of the github.com/nyaruka/phonenumbers library. This function is responsible for parsing a string input representing a phone number into a structured format. The library fails to properly validate the syntactic correctness of the input string before processing. Specifically, when a crafted, malformed input string is provided, the parsing logic attempts to access a substring using slice operations with indices that are outside the bounds of the input string’s length. This incorrect calculation of indices leads directly to a Go runtime panic with the error “slice bounds out of range”. This is a classic case of improper input validation where the function does not adequately sanitize or check the structure of the user-supplied input before performing operations that assume a specific, valid format, resulting in a denial-of-service condition for the application using the library.
DailyCVE Form:
Platform: Go package
Version: <1.2.2
Vulnerability: Input Validation
Severity: Moderate
date: 2025-09-27
Prediction: Patch expected 2025-10-04
What Undercode Say:
go list -m all | grep nyaruka/phonenumbers
import "github.com/nyaruka/phonenumbers"
// Vulnerable call
num, err := phonenumbers.Parse("CRAFTED_MALICIOUS_INPUT", "")
go test -v -fuzz=FuzzParse ./...
How Exploit:
Crafted input string
Causes slice bounds panic
Denial-of-service attack
Protection from this CVE
Upgrade to v1.2.2
Input sanitization
Fuzz testing
Impact:
Application crash
Denial-of-Service
Panic condition
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
