GHSA-mvrp-3cvx-c325

Impact

API servers running express-zod-api having:

• version of express-zod-api below 10.0.0-beta1,
• and using the following (or similar) validation schema in its implementation: z.string().email(),

are vulnerable to a DoS attack due to:

• Inefficient Regular Expression Complexity in zod versions up to 3.22.2,
• depending on zod.

Patches

The patched version of zod fixing the vulnerability is 3.22.3.

However, it's highly recommended to upgrade express-zod-api to at least version 10.0.0, which does not depend on zod strictly and directly, but requires its installation as a peer dependency instead, enabling you to install the patched zod version yourself.

Workarounds

When it's not possible to upgrade your dependencies, consider the following replacement in your implementation:

- z.string().email()
+ z.string().regex(
+   /^(?!\.)(?!.*\.\.)([A-Z0-9_+-\.]*)[A-Z0-9_+-]@([A-Z0-9][A-Z0-9\-]*\.)+[A-Z]{2,}$/i
+ )

This regular expression is taken from the suggested patch of zod.

References

• Original issue: https://github.com/colinhacks/zod/issues/2609
• The patch: https://github.com/colinhacks/zod/pull/2824
• Entry in database: https://nvd.nist.gov/vuln/detail/CVE-2023-4316
• Enumeration: https://cwe.mitre.org/data/definitions/1333.html
• Parent advisory: https://github.com/advisories/GHSA-m95q-7qp3-xv42
• Changelog entry for express-zod-api version 10.0.0-beta1: https://github.com/RobinTail/express-zod-api/blob/master/CHANGELOG.md#v1000-beta1