CVE-2024-39697

Name of the Vulnerable Software and Affected Versions rust-phonenumber versions 0.3.4 through 0.3.5

Description The phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form +dwPAA;phone-context=AA, where the number part potentially parses as a number larger than 2^56.

Recommendations For rust-phonenumber versions 0.3.4 through 0.3.5, upgrade to version 0.3.6 or higher to prevent panic-triggered out-of-bounds access from maliciously crafted phone numbers over the network. As a temporary workaround, consider restricting the input of phone numbers to prevent maliciously crafted strings from being processed.