Phone Number Parsing Library Vulnerable to Malicious Input

CVECVE-2023-42444
CVSScvssV3_1: 8.6
SourceCVE-2023-42444

The phone number parsing library phonenumber is susceptible to a panic error when receiving specially crafted phone numbers over a network connection.

Phonenumber is an open source tool used to validate, format and parse international phone numbers. A bug exists in older versions where passing the string “.;phone-context=” could cause the program to crash. Attackers could potentially cause denial of service or other issues for systems using phonenumber to process phone numbers remotely.

The vulnerability stems from an out-of-bounds memory access that is not properly guarded against unexpected input. Malicious actors may be able to identify uses of the vulnerable phonenumber library and exploit it by sending phone numbers designed to trigger the panic.

Luckily, the developers have released patched versions 0.3.3+8.13.9 and 0.2.5+8.11.3 that fix this issue. All users of phonenumber should upgrade immediately to one of these fixed versions. It is also recommended that any applications using phonenumber to process untrusted external phone numbers implement input validation to block unexpected special characters or strings.

Proper input sanitization is important to prevent exploitation of vulnerabilities like this. Staying up-to-date with the latest library and software versions helps ensure your systems remain secure from known issues.

References