{"id":"CVE-2024-39697","summary":"phonenumber panics on parsing crafted phonenumber inputs","details":"phonenumber is a library for parsing, formatting and validating international phone numbers. Since 0.3.4, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form `+dwPAA;phone-context=AA`, where the \"number\" part potentially parses as a number larger than 2^56. This vulnerability is fixed in 0.3.6.","aliases":["GHSA-mjw4-jj88-v687","RUSTSEC-2024-0369"],"modified":"2026-04-10T05:14:35.874039Z","published":"2024-07-09T14:16:38.493Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/39xxx/CVE-2024-39697.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-1284","CWE-284","CWE-392","CWE-617"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/39xxx/CVE-2024-39697.json"},{"type":"ADVISORY","url":"https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-mjw4-jj88-v687"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-39697"},{"type":"REPORT","url":"https://github.com/whisperfish/rust-phonenumber/issues/69"},{"type":"FIX","url":"https://github.com/whisperfish/rust-phonenumber/commit/b792151b17fc90231c232a23935830c2266f3203"},{"type":"FIX","url":"https://github.com/whisperfish/rust-phonenumber/commit/f69abee1481fac0d6d531407bae90020e39c6407"},{"type":"FIX","url":"https://github.com/whisperfish/rust-phonenumber/pull/52"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/whisperfish/rust-phonenumber","events":[{"introduced":"0"},{"fixed":"b792151b17fc90231c232a23935830c2266f3203"}]},{"type":"GIT","repo":"https://github.com/whisperfish/rust-phonenumber","events":[{"introduced":"0"},{"fixed":"f69abee1481fac0d6d531407bae90020e39c6407"}]},{"type":"GIT","repo":"https://github.com/whisperfish/rust-phonenumber","events":[{"introduced":"0"},{"fixed":"b792151b17fc90231c232a23935830c2266f3203"}]},{"type":"GIT","repo":"https://github.com/whisperfish/rust-phonenumber","events":[{"introduced":"0"},{"fixed":"f69abee1481fac0d6d531407bae90020e39c6407"}]}],"versions":["v0.1.0","v0.3.3+8.13.9","v0.3.4+8.13.34","v0.3.5+8.13.36"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-39697.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H"}]}