CVE-2024-39697

HIGH
Published Jul 9, 2024 Modified Apr 15, 2026 CWE-284 CWE-392 CWE-617 CWE-1284

Description

phonenumber is a library for parsing, formatting and validating international phone numbers. Since 0.3.4, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form `+dwPAA;phone-context=AA`, where the "number" part potentially parses as a number larger than 2^56. This vulnerability is fixed in 0.3.6.

CVSS v3.1 Score

8.6
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H

Weakness Type (CWE)

CWE-284 CWE-284
CWE-392 CWE-392
CWE-617 CWE-617
CWE-1284 CWE-1284

References

Other References

https://github.com/whisperfish/rust-phonenumber/commit/b792151b17fc90231c232a23935830c2266f3203 https://github.com/whisperfish/rust-phonenumber/commit/f69abee1481fac0d6d531407bae90020e39c6407 https://github.com/whisperfish/rust-phonenumber/issues/69 https://github.com/whisperfish/rust-phonenumber/pull/52 https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-mjw4-jj88-v687 https://github.com/whisperfish/rust-phonenumber/commit/b792151b17fc90231c232a23935830c2266f3203 https://github.com/whisperfish/rust-phonenumber/commit/f69abee1481fac0d6d531407bae90020e39c6407 https://github.com/whisperfish/rust-phonenumber/issues/69 https://github.com/whisperfish/rust-phonenumber/pull/52 https://github.com/whisperfish/rust-phonenumber/security/advisories/GHSA-mjw4-jj88-v687

Frequently Asked Questions

What is CVE-2024-39697? +
phonenumber is a library for parsing, formatting and validating international phone numbers. Since 0.3.4, the phonenumber parsing code may panic due to a panic-guarded out-of-bounds access on the phonenumber string. In a typical deployment of rust-phonenumber, this may get triggered by feeding a maliciously crafted phonenumber, e.g. over the network, specifically strings of the form `+dwPAA;phone-context=AA`, where the "number" part potentially parses as a number larger than 2^56. This vulnerability is fixed in 0.3.6. It has a CVSS v3.1 base score of 8.6 (HIGH).
How severe is CVE-2024-39697? +
CVE-2024-39697 has a CVSS v3.1 score of 8.6 out of 10, rated HIGH. This is a high-severity vulnerability that should be prioritized for patching.
How do I check if I'm vulnerable to CVE-2024-39697? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2026-35402

mcp-neo4j-cypher is an MCP server for executing Cypher queries against Neo4j databases. In versions prior to 0.6.0, the read_only mode …
CVE-2026-40866

Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in …
CVE-2026-40865

Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, an insecure direct object reference in …
CVE-2026-40874

mailcow: dockerized is an open source groupware/email suite based on docker. In versions prior to 2026-03b, no administrator verification takes …
CVE-2026-42278

UltraDAG is a minimal DAG-BFT blockchain in Rust. Prior to commit fb6ef59, the UltraDAG StateEngine implementation of SmartTransferTx contains a …
CVE-2026-40867

Horilla is a free and open source Human Resource Management System (HRMS). In 1.5.0, a broken access control vulnerability in …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2024-39697 — free, no signup required.

Start Free Scan