CVE-2025-10954: 
Wolfi vulnerability analysis and mitigation

CVE-2025-10954 affects versions of the package github.com/nyaruka/phonenumbers before 1.2.2. The vulnerability was discovered on September 27, 2025, and involves improper validation of syntactic correctness of input in the phonenumbers.Parse() function. This vulnerability was reported by Snyk and assigned a CVSS v3.1 base score of 7.5 (HIGH) by NIST NVD (NVD).

The vulnerability exists in the phonenumbers.Parse() function where improper validation of input can lead to a runtime panic. Specifically, the issue occurs in the buildNationalNumberForParsing function when handling phone numbers formatted according to RFC3966 that include a phone-context parameter. The vulnerable code attempts to access an index beyond the string bounds when processing certain malformed inputs, resulting in a 'slice bounds out of range' error (Miggo).

When exploited, this vulnerability can cause a denial of service (DoS) condition by triggering a panic in the application. The impact is primarily on availability, with no direct effect on confidentiality or integrity of the system (Snyk).

The recommended mitigation is to upgrade github.com/nyaruka/phonenumbers to version 1.2.2 or higher. The fix has been implemented through the introduction of two new functions: extractPhoneContext and isPhoneContextValid, which properly validate the phone-context parameter and perform explicit boundary checks (GitHub Commit).