CVE-2025-10954 Overview
CVE-2025-10954 is an Improper Validation of Syntactic Correctness of Input vulnerability affecting the github.com/nyaruka/phonenumbers Go library. Versions prior to 1.2.2 are vulnerable to a denial of service condition where an attacker can trigger a panic by providing maliciously crafted input to the phonenumbers.Parse() function, causing a "runtime error: slice bounds out of range" crash.
Critical Impact
Applications using vulnerable versions of the phonenumbers library can be crashed by remote attackers through carefully crafted phone number input, leading to denial of service conditions.
Affected Products
- Textit Phonenumbers versions prior to 1.2.2
- Applications using github.com/nyaruka/phonenumbers Go package
- Go-based services implementing phone number parsing functionality
Discovery Timeline
- 2025-09-27 - CVE-2025-10954 published to NVD
- 2025-10-03 - Last updated in NVD database
Technical Details for CVE-2025-10954
Vulnerability Analysis
This vulnerability stems from improper input validation in the phonenumbers.Parse() function (CWE-1286: Improper Validation of Syntactic Correctness of Input). The library fails to properly validate the boundaries of input data before performing slice operations, allowing specially crafted input to cause an out-of-bounds array access.
When the Parse() function processes malformed phone number strings, it attempts to access slice indices that exceed the actual bounds of the input data. This results in a Go runtime panic with the error message "slice bounds out of range," which terminates the application if unhandled.
The network-accessible nature of this vulnerability makes it particularly concerning for web services and APIs that accept phone number input from untrusted sources. An attacker requires no authentication or special privileges to exploit this flaw—they simply need to submit a crafted string to any endpoint that processes phone numbers using the vulnerable library.
Root Cause
The root cause is insufficient bounds checking in the phone number parsing logic. When parsing certain malformed inputs, the code assumes the input string contains enough characters for slice operations without first validating the actual string length. This leads to runtime panics when the slice indices exceed the available data.
Attack Vector
The attack vector is network-based with low complexity. An attacker can exploit this vulnerability by sending specially crafted phone number strings to any application endpoint that uses the phonenumbers.Parse() function. Since phone number parsing is typically performed on user-supplied input in web applications, SMS services, and validation APIs, the attack surface can be significant.
The vulnerability requires no user interaction and no prior authentication. When exploited, the application will crash due to an unhandled panic, resulting in denial of service. While the confidentiality and integrity impact is negligible, the availability impact makes this a concern for production services.
Detection Methods for CVE-2025-10954
Indicators of Compromise
- Application crashes with "runtime error: slice bounds out of range" in panic stack traces
- Repeated crash-restart cycles in services that handle phone number parsing
- Unusual patterns of malformed phone number submissions in application logs
- Elevated error rates in phone number validation endpoints
Detection Strategies
- Monitor application logs for Go runtime panics containing "slice bounds out of range" errors
- Implement dependency scanning to identify vulnerable versions of github.com/nyaruka/phonenumbers below 1.2.2
- Use software composition analysis (SCA) tools to detect vulnerable transitive dependencies
- Configure crash reporting systems to alert on repeated service restarts
Monitoring Recommendations
- Set up alerting for unusual crash patterns in Go services handling phone number input
- Monitor for sudden spikes in error rates on phone number parsing endpoints
- Implement rate limiting on endpoints accepting phone number input to reduce DoS impact
- Review dependency manifests (go.mod, go.sum) for outdated phonenumbers library versions
How to Mitigate CVE-2025-10954
Immediate Actions Required
- Upgrade the github.com/nyaruka/phonenumbers package to version 1.2.2 or later immediately
- Audit all Go applications using this library to identify affected services
- Implement input validation and length checks before passing data to phonenumbers.Parse()
- Consider implementing panic recovery handlers to gracefully handle crashes
Patch Information
The vulnerability was fixed in version 1.2.2 of the phonenumbers library. The fix is available in the GitHub commit 0479e35. Organizations should update their go.mod file to require version 1.2.2 or later.
For additional context, see GitHub Issue #148 which documents the vulnerability discovery and resolution. The Snyk vulnerability advisory provides additional tracking information.
Workarounds
- Implement panic recovery middleware to prevent application crashes from propagating
- Add input length validation before calling phonenumbers.Parse() to reject suspiciously long or malformed strings
- Deploy rate limiting on endpoints accepting phone number input to reduce exploitation impact
- Consider wrapping the Parse() function with additional bounds checking logic
# Update the phonenumbers library to the patched version
go get github.com/nyaruka/phonenumbers@v1.2.2
# Verify the updated version in go.mod
grep phonenumbers go.mod
# Run go mod tidy to clean up dependencies
go mod tidy
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
