isValidPhoneNumber accepts incorrect lengths for Paraguay (PY) and Uruguay (UY)

[ezegauna]

Description

isValidPhoneNumber() accepts phone numbers with incorrect NSN lengths for Paraguay and Uruguay, allowing invalid numbers to pass validation.

Affected countries

Uruguay (UY) — +598

Per URSEC's closed numbering plan (2010), all Uruguayan numbers (fixed and mobile) are exactly 8 NSN digits. This has been the case for 15 years.

The library accepts 7 NSN digits as valid:

isValidPhoneNumber('+5989512345')  // 7 NSN digits → true  ❌ should be false
isValidPhoneNumber('+59895527722') // 8 NSN digits → true  ✅

Paraguay (PY) — +595

Per ITU's numbering plan for Paraguay (2002), all Paraguayan numbers (fixed and mobile) are exactly 9 NSN digits.

The library accepts 7, 8, 10 and 11 NSN digits as valid:

isValidPhoneNumber('+5959811234')    // 7 NSN digits  → true  ❌ should be false
isValidPhoneNumber('+59598112345')   // 8 NSN digits  → true  ❌ should be false
isValidPhoneNumber('+595981123456')  // 9 NSN digits  → true  ✅
isValidPhoneNumber('+5959811234567') // 10 NSN digits → true  ❌ should be false
isValidPhoneNumber('+59598112345678')// 11 NSN digits → true  ❌ should be false

Expected E.164 format

Country	Format	Total E.164 length
Uruguay	+598 + 8 digits	12 chars
Paraguay	+595 + 9 digits	13 chars

Versions tested

• 1.12.38 — affected
• 1.12.40 (latest) — still affected

Additional notes

validatePhoneNumberLength() returns undefined for all these cases (instead of TOO_SHORT or TOO_LONG), and isPossiblePhoneNumber() also returns true, suggesting the metadata length ranges for these countries are not correctly defined.

References

• Uruguay numbering plan: https://en.wikipedia.org/wiki/Telephone_numbers_in_Uruguay
• Paraguay numbering plan: https://en.wikipedia.org/wiki/Telephone_numbers_in_Paraguay
• URSEC (Uruguay regulator): https://www.ursec.gub.uy

[catamphetamine]

Hi, That’s a very detailed bug report 👍 However, any metadata-related issues should be forwarded to Google, as suggested by the “Bug reporting” section of the readme. That’s because ‘libphonenumber-js’ simply reuses Google’s metadata. It also includes the instructions for reporting any discrepancy bugs.

…

On Fri, 20 Mar 2026 at 16:41, Eze ***@***.***> wrote: *ezegauna* created an issue (catamphetamine/libphonenumber-js#495) <#495> Description isValidPhoneNumber() accepts phone numbers with incorrect NSN lengths for Paraguay and Uruguay, allowing invalid numbers to pass validation. Affected countries Uruguay (UY) — +598 Per URSEC's closed numbering plan (2010) <https://en.wikipedia.org/wiki/Telephone_numbers_in_Uruguay>, *all* Uruguayan numbers (fixed and mobile) are exactly *8 NSN digits*. This has been the case for 15 years. The library accepts *7 NSN digits* as valid: isValidPhoneNumber('+5989512345') // 7 NSN digits → true ❌ should be falseisValidPhoneNumber('+59895527722') // 8 NSN digits → true ✅ Paraguay (PY) — +595 Per ITU's numbering plan for Paraguay (2002) <https://en.wikipedia.org/wiki/Telephone_numbers_in_Paraguay>, *all* Paraguayan numbers (fixed and mobile) are exactly *9 NSN digits*. The library accepts *7, 8, 10 and 11 NSN digits* as valid: isValidPhoneNumber('+5959811234') // 7 NSN digits → true ❌ should be falseisValidPhoneNumber('+59598112345') // 8 NSN digits → true ❌ should be falseisValidPhoneNumber('+595981123456') // 9 NSN digits → true ✅isValidPhoneNumber('+5959811234567') // 10 NSN digits → true ❌ should be falseisValidPhoneNumber('+59598112345678')// 11 NSN digits → true ❌ should be false Expected E.164 format Country Format Total E.164 length Uruguay +598 + 8 digits 12 chars Paraguay +595 + 9 digits 13 chars Versions tested - 1.12.38 — affected - 1.12.40 (latest) — still affected Additional notes validatePhoneNumberLength() returns undefined for all these cases (instead of TOO_SHORT or TOO_LONG), and isPossiblePhoneNumber() also returns true, suggesting the metadata length ranges for these countries are not correctly defined. References - Uruguay numbering plan: https://en.wikipedia.org/wiki/Telephone_numbers_in_Uruguay - Paraguay numbering plan: https://en.wikipedia.org/wiki/Telephone_numbers_in_Paraguay - URSEC (Uruguay regulator): https://www.ursec.gub.uy — Reply to this email directly, view it on GitHub <#495?email_source=notifications&email_token=AADUP37M55BKLSVQFIJ72534RVDA5A5CNFSL4Z3JMQ5C6L3HNF2C22DVMIXUS43TOVSS6NBRGA3TSNRSHE4DFJTSMVQXG33OVJZXKYTTMNZGSYTFMSSWK5TFNZ2KYZTPN52GK4S7MNWGSY3L>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AADUP36UUELXWDINVJFYPFL4RVDA5AVCNFSM6AAAAACWZEM6T6VHI2DSMVQWIX3LMV43ASLTON2WKOZUGEYDOOJWGI4TQMQ> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>