Miggo Logo
Miggo Vulnerability Database
CVE-2025-10954

CVE-2025-10954: github.com/nyaruka/phonenumbers Vulnerable to Improper Validation of Syntactic Correctness of Input

5.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2025-10954
GHSA ID
GHSA-fmjh-f678-cv3x
EPSS Score
0.17129%
CWE
CWE-1286
Published
9/27/2025
Updated
9/29/2025
KEV Status
No
Technology
TechnologyGo

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Package NameEcosystemVulnerable VersionsFirst Patched Version
github.com/nyaruka/phonenumbersgo< 1.2.21.2.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability is a classic 'slice bounds out of range' error in the Go phonenumbers package, leading to a denial of service (panic). The root cause lies in the buildNationalNumberForParsing function, which improperly handled phone numbers formatted according to RFC3966 that included a phone-context parameter.

The vulnerable code located the phone-context= substring and calculated a starting index for its value. However, it failed to validate that this index was actually within the bounds of the input string. An attacker could provide a string that ends precisely with phone-context=, causing the program to attempt to read from an index beyond the end of the string, which triggers a runtime panic.

The patch rectifies this by introducing two new functions: extractPhoneContext and isPhoneContextValid. The former safely extracts the parameter's value with explicit boundary checks, and the latter validates the content of the parameter. The buildNationalNumberForParsing function was refactored to use these new, safer functions, thus preventing the out-of-bounds access.

Any runtime profile or stack trace generated during the exploitation of this vulnerability would show a call chain originating from the public phonenumbers.Parse function, proceeding through phonenumbers.parseHelper, and terminating with a panic inside phonenumbers.buildNationalNumberForParsing.

Vulnerable functions

phonenumbers.buildNationalNumberForParsing
phonenumbers.go
This function contained the core logic flaw. It calculated an index `phoneContextStart` and then immediately tried to access the character at that index (`numberToParse[phoneContextStart]`) without verifying if the index was within the string's bounds. If a crafted input ended with ';phone-context=', this would cause a 'slice bounds out of range' panic. The patch replaced this unsafe access with calls to new functions (`extractPhoneContext`, `isPhoneContextValid`) that perform proper validation and bounds checking.
phonenumbers.parseHelper
phonenumbers.go
This function is a direct caller of the vulnerable `buildNationalNumberForParsing` function. It is a necessary step in the execution path to trigger the vulnerability. The patch modified it to handle the new error returned by the fixed `buildNationalNumberForParsing` function.
phonenumbers.Parse
phonenumbers.go
This is the primary public API function and the entry point for the vulnerability. An attacker triggers the panic by passing a specially crafted phone number string to this function. It would be the top-level function from this package in any stack trace related to the exploit.

WAF Protection Rules

WAF Rule

V*rsions o* t** p**k*** *it*u*.*om/ny*ruk*/p*on*num**rs ***or* *.*.* *r* vuln*r**l* to Improp*r V*li**tion o* Synt**ti* *orr**tn*ss o* Input in t** p*on*num**rs.P*rs*() *un*tion. *n *tt**k*r **n **us* * p*ni* *y provi*in* *r**t** input **usin* * "run

Reasoning

T** vuln*r**ility is * *l*ssi* 'sli** *oun*s out o* r*n**' *rror in t** *o `p*on*num**rs` p**k***, l***in* to * **ni*l o* s*rvi** (p*ni*). T** root **us* li*s in t** `*uil*N*tion*lNum**r*orP*rsin*` *un*tion, w*i** improp*rly **n*l** p*on* num**rs *or