Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-mvrp-3cvx-c325: Zod denial of service vulnerability during email validation

Impact

API servers running express-zod-api having:

  • version of express-zod-api below 10.0.0-beta1,
  • and using the following (or similar) validation schema in its implementation: z.string().email(),

are vulnerable to a DoS attack due to:

  • Inefficient Regular Expression Complexity in zod versions up to 3.22.2,
  • depending on zod.

Patches

The patched version of zod fixing the vulnerability is 3.22.3.

However, it’s highly recommended to upgrade express-zod-api to at least version 10.0.0, which does not depend on zod strictly and directly, but requires its installation as a peer dependency instead, enabling you to install the patched zod version yourself.

Workarounds

When it’s not possible to upgrade your dependencies, consider the following replacement in your implementation:

- z.string().email()
+ z.string().regex(
+   /^(?!\.)(?!.*\.\.)([A-Z0-9_+-\.]*)[A-Z0-9_+-]@([A-Z0-9][A-Z0-9\-]*\.)+[A-Z]{2,}$/i
+ )

This regular expression is taken from the suggested patch of zod.

References

  • Original issue: https://github.com/colinhacks/zod/issues/2609
  • The patch: https://github.com/colinhacks/zod/pull/2824
  • Entry in database: https://nvd.nist.gov/vuln/detail/CVE-2023-4316
  • Enumeration: https://cwe.mitre.org/data/definitions/1333.html
  • Parent advisory: https://github.com/advisories/GHSA-m95q-7qp3-xv42
  • Changelog entry for express-zod-api version 10.0.0-beta1: https://github.com/RobinTail/express-zod-api/blob/master/CHANGELOG.md#v1000-beta1
ghsa
Open in Source
#vulnerability#dos#git

Impact

API servers running express-zod-api having:

  • version of express-zod-api below 10.0.0-beta1,
  • and using the following (or similar) validation schema in its implementation: z.string().email(),

are vulnerable to a DoS attack due to:

  • Inefficient Regular Expression Complexity in zod versions up to 3.22.2,
  • depending on zod.

Patches

The patched version of zod fixing the vulnerability is 3.22.3.

However, it’s highly recommended to upgrade express-zod-api to at least version 10.0.0, which does not depend on zod strictly and directly, but requires its installation as a peer dependency instead, enabling you to install the patched zod version yourself.

Workarounds

When it’s not possible to upgrade your dependencies, consider the following replacement in your implementation:

- z.string().email()

  • z.string().regex(
  • /^(?!\.)(?!.*\.\.)([A-Z0-9_±\.]*)[A-Z0-9_±]@([A-Z0-9][A-Z0-9\-]*\.)+[A-Z]{2,}$/i
  • )

This regular expression is taken from the suggested patch of zod.

References

  • Original issue: colinhacks/zod#2609
  • The patch: colinhacks/zod#2824
  • Entry in database: https://nvd.nist.gov/vuln/detail/CVE-2023-4316
  • Enumeration: https://cwe.mitre.org/data/definitions/1333.html
  • Parent advisory: GHSA-m95q-7qp3-xv42
  • Changelog entry for express-zod-api version 10.0.0-beta1: https://github.com/RobinTail/express-zod-api/blob/master/CHANGELOG.md#v1000-beta1

References

  • GHSA-mvrp-3cvx-c325
  • colinhacks/zod#2609
  • colinhacks/zod#2824
  • GHSA-m95q-7qp3-xv42

ghsa: Latest News

GHSA-g5x8-v2ch-gj2g: Vaultwarden HTML injection vulnerability
ghsa