CVE-2025-10954 is a medium-severity vulnerability affecting versions of the Go package github.com/nyaruka/phonenumbers prior to 1.2.2. The vulnerability arises from improper validation of the syntactic correctness of input in the phonenumbers.Parse() function. Specifically, when the function processes crafted input, it can trigger a runtime panic due to a "slice bounds out of range" error. This indicates that the function does not adequately check input boundaries before accessing slices, leading to a runtime exception. The vulnerability is classified under CWE-1286, which relates to improper validation of input that can cause unexpected behavior or crashes. The CVSS 4.0 base score is 6.9, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and limited impact on availability (VA:L), with no impact on confidentiality or integrity. Exploitation does not require authentication or user interaction, and the vulnerability can be triggered remotely by sending crafted input to the vulnerable function. Although no known exploits are currently reported in the wild, the vulnerability could be leveraged to cause denial-of-service conditions in applications relying on this library for phone number parsing, potentially disrupting services that depend on phone number validation or processing. Since the package is a widely used library for phone number parsing in Go applications, any software or service that integrates this package and uses vulnerable versions is at risk of unexpected crashes or service interruptions when processing maliciously crafted phone number inputs.

For European organizations, the impact of this vulnerability primarily involves potential denial-of-service (DoS) conditions in applications that use the vulnerable phonenumbers package. This could affect telecommunications companies, customer relationship management (CRM) systems, financial services, and any enterprise software that validates or processes phone numbers using this library. Disruptions could lead to degraded service availability, impacting customer experience and operational continuity. While the vulnerability does not directly compromise confidentiality or integrity, repeated or targeted exploitation could cause system instability or outages, which may have regulatory and reputational consequences under European data protection and operational resilience frameworks such as GDPR and NIS Directive. Organizations relying on automated phone number validation in critical workflows may face operational delays or failures, especially if input validation is not supplemented by additional safeguards. The lack of required authentication or user interaction for exploitation increases the risk surface, as attackers can remotely trigger the vulnerability without prior access or user involvement.

European organizations should promptly update the github.com/nyaruka/phonenumbers package to version 1.2.2 or later, where this vulnerability has been addressed. If immediate upgrading is not feasible, implement input validation controls at the application level to sanitize and verify phone number inputs before passing them to the phonenumbers.Parse() function, ensuring inputs conform to expected formats and length constraints. Employ runtime monitoring and error handling to gracefully manage unexpected panics or exceptions arising from input parsing. Incorporate fuzz testing and static code analysis in the development lifecycle to detect similar input validation issues proactively. Additionally, deploy Web Application Firewalls (WAFs) or input filtering mechanisms to detect and block suspicious or malformed phone number inputs at network boundaries. Maintain an inventory of all internal and third-party applications using this package to ensure comprehensive patching. Finally, establish incident response procedures to quickly identify and mitigate any exploitation attempts causing service disruptions.