CVE-2023-42444

Name of the Vulnerable Software and Affected Versions phonenumber versions prior to 0.3.3+8.13.9 phonenumber versions prior to 0.2.5+8.11.3

Description The phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber over the network, specifically the string .;phone-context=.

Recommendations For versions prior to 0.3.3+8.13.9, update to version 0.3.3+8.13.9 to resolve the issue. For versions prior to 0.2.5+8.11.3, update to version 0.2.5+8.11.3 to resolve the issue. As a temporary workaround, consider restricting the input of phone numbers to prevent maliciously crafted strings from being processed. Avoid using the string .;phone-context= in the phonenumber parsing code until the issue is resolved.