Nyaruka Phonenumbers Improper Input Validation Vulnerability in Parse Function
Vulnerability
A denial-of-service vulnerability has been identified in the Nyaruka Phonenumbers package, specifically in versions prior to 1.2.2. The issue arises from improper validation of input syntax in the phonenumbers.Parse() function. An attacker can exploit this vulnerability by providing crafted input that leads to a runtime error, causing a panic by disrupting slice bounds.
Impact
Exploitation of this vulnerability causes a runtime panic, leading to a crash of the application using the Phonenumbers package.
Reproduction
The vulnerability can be reproduced by calling the phonenumbers.Parse() function with a specific input that includes a phone-context parameter. This input should be crafted to disrupt the expected slice bounds, causing a runtime error. The provided GitHub issue includes a link to a Go Playground snippet that demonstrates this exploitation.
Remediation
Users are advised to upgrade the Nyaruka Phonenumbers package to version 1.2.2 or higher.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.