CVE-2025-10954 is a medium-severity vulnerability affecting versions of the Go package github.com/nyaruka/phonenumbers prior to 1.2.2. The vulnerability arises from improper validation of the syntactic correctness of input data within the phonenumbers.Parse() function. Specifically, when the function processes crafted input, it can trigger a runtime panic due to a "slice bounds out of range" error. This indicates that the function attempts to access elements outside the bounds of a slice, likely due to insufficient input validation or boundary checks. As a result, an attacker can cause a denial of service (DoS) condition by crashing the application or service that relies on this library. The vulnerability does not require authentication, user interaction, or privileges, and can be exploited remotely by sending maliciously crafted phone number strings to the vulnerable function. The CVSS 4.0 base score is 6.9, reflecting a medium severity with network attack vector, low attack complexity, no privileges or user interaction required, and limited impact on availability. There are no known exploits in the wild at the time of publication, and no official patches are linked, but upgrading to version 1.2.2 or later is recommended to remediate the issue. This vulnerability primarily impacts applications and services that use the phonenumbers library for phone number parsing and validation, which may include telecommunication platforms, customer relationship management (CRM) systems, and other software handling phone number inputs.

For European organizations, the impact of CVE-2025-10954 can be significant in environments where the phonenumbers library is integrated into customer-facing or backend systems. A successful exploitation can lead to application crashes, resulting in denial of service conditions that disrupt business operations, degrade user experience, and potentially cause loss of revenue or customer trust. Organizations in sectors such as telecommunications, financial services, e-commerce, and public services that rely on phone number validation for user authentication, contact management, or communication workflows are particularly at risk. While the vulnerability does not directly lead to data breaches or privilege escalation, the resulting service outages could indirectly affect availability and operational continuity. Additionally, repeated exploitation attempts could be used as a vector in larger distributed denial of service (DDoS) campaigns targeting critical infrastructure. Given the interconnected nature of European digital services and regulatory requirements for service availability and data integrity, mitigating this vulnerability is important to maintain compliance and operational resilience.

European organizations should take the following specific mitigation steps: 1) Identify all internal and third-party applications and services that use the github.com/nyaruka/phonenumbers library, especially versions prior to 1.2.2. 2) Immediately upgrade the phonenumbers package to version 1.2.2 or later where the vulnerability is fixed. 3) Implement input validation and sanitization at the application layer to detect and reject malformed or suspicious phone number inputs before they reach the parsing function. 4) Employ runtime monitoring and alerting to detect application panics or crashes related to phone number parsing, enabling rapid incident response. 5) Use circuit breakers or rate limiting on APIs that accept phone number inputs to reduce the risk of exploitation through crafted inputs. 6) Conduct code reviews and security testing focused on input handling in all components that integrate this library. 7) Maintain an inventory of dependencies and subscribe to vulnerability feeds to ensure timely awareness of such issues. These measures will help reduce the risk of denial of service and improve overall input handling robustness.