Login Sign Up

CVE-2025-10954

5.3 MEDIUM
Denial of Service

📋 TL;DR

The github.com/nyaruka/phonenumbers package versions before 1.2.2 contain an input validation vulnerability in the phonenumbers.Parse() function. Attackers can trigger a panic (runtime error: slice bounds out of range) by providing specially crafted input, potentially causing denial of service. Applications using this Go library for phone number parsing are affected.

💻 Affected Systems

Products:
  • github.com/nyaruka/phonenumbers Go library
Versions: All versions before 1.2.2
Operating Systems: All platforms running Go applications
Default Config Vulnerable: ⚠️ Yes
Notes: Any application using phonenumbers.Parse() with untrusted input is vulnerable.

📦 What is this software?

Phonenumbers by Textit

View all CVEs affecting Phonenumbers →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Application crashes with panic, leading to denial of service and potential service disruption if not properly recovered.

🟠

Likely Case

Application crashes when processing malicious input, requiring restart and causing temporary service interruption.

🟢

If Mitigated

Application gracefully handles the error or recovers automatically with minimal impact.

🌐 Internet-Facing: MEDIUM
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending crafted input to the vulnerable function.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.2

Vendor Advisory: https://github.com/nyaruka/phonenumbers/commit/0479e35488e8a002a261cdb515ef8a7f80ca37fe

Restart Required: Yes

Instructions:

1. Update go.mod to require github.com/nyaruka/phonenumbers v1.2.2 or later. 2. Run 'go mod tidy'. 3. Rebuild and redeploy your application.

🔧 Temporary Workarounds

Input validation wrapper

all

Wrap phonenumbers.Parse() calls with input validation to reject suspicious inputs before processing.

Panic recovery middleware

all

Implement panic recovery in HTTP handlers or application layers to prevent crashes from propagating.

🧯 If You Can't Patch

  • Implement strict input validation for phone number fields before passing to phonenumbers.Parse()
  • Deploy application behind a WAF with input validation rules

🔍 How to Verify

Check if Vulnerable:

Check go.mod for github.com/nyaruka/phonenumbers version. If version is <1.2.2, you are vulnerable.

Check Version:

grep 'github.com/nyaruka/phonenumbers' go.mod

Verify Fix Applied:

After updating, verify go.mod shows version 1.2.2 or higher and test with known malicious inputs.

📡 Detection & Monitoring

Log Indicators:

  • Application panic logs containing 'runtime error: slice bounds out of range'
  • Sudden application restarts/crashes when processing phone number inputs

Network Indicators:

  • Unusual input patterns in phone number fields
  • Repeated requests with malformed phone numbers

SIEM Query:

source="application.logs" AND "panic" AND "slice bounds out of range"

📊 Metadata

CVE ID: CVE-2025-10954
CVSS v3 Score: 5.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CWE: CWE-1286
EPSS Score: 0.13% exploit probability (32.6th percentile)
Published: September 27, 2025
Last Updated: October 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10954, you might also want to check these:

CVE-2025-41719 8.8

A low-privileged remote attacker can corrupt the webserver user storage by sending unsupported chara...

Same vulnerability type (CWE-1286)
CVE-2024-26507 7.8

This vulnerability allows a local attacker to escalate privileges on systems running vulnerable vers...

Same vulnerability type (CWE-1286)
CVE-2021-31987 7.5

CVE-2021-31987 is an input validation vulnerability in Axis Communications products that allows atta...

Same vulnerability type (CWE-1286)