VYPR
High severityNVD Advisory· Published Sep 19, 2023· Updated Sep 24, 2024

phonenumber panics on parsing crafted RF3966 inputs

CVE-2023-42444

Description

phonenumber is a library for parsing, formatting and validating international phone numbers. Prior to versions 0.3.3+8.13.9 and 0.2.5+8.11.3, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string .;phone-context=. Versions 0.3.3+8.13.9 and 0.2.5+8.11.3 contain a patch for this issue. There are no known workarounds.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
phonenumbercrates.io
< 0.2.50.2.5
phonenumbercrates.io
>= 0.3.0, < 0.3.30.3.3

Affected products

2

Patches

Vulnerability mechanics

References

6

News mentions

0

No linked articles in our index yet.