Impact
API servers running express-zod-api having:
- version of
express-zod-api below 10.0.0-beta1,
- and using the following (or similar) validation schema in its implementation:
z.string().email(),
are vulnerable to a DoS attack due to:
- Inefficient Regular Expression Complexity in
zod versions up to 3.22.2,
- depending on
zod.
Patches
The patched version of zod fixing the vulnerability is 3.22.3.
However, it's highly recommended to upgrade express-zod-api to at least version 10.0.0, which does not depend on zod strictly and directly, but requires its installation as a peer dependency instead, enabling you to install the patched zod version yourself.
Workarounds
When it's not possible to upgrade your dependencies, consider the following replacement in your implementation:
- z.string().email()
+ z.string().regex(
+ /^(?!\.)(?!.*\.\.)([A-Z0-9_+-\.]*)[A-Z0-9_+-]@([A-Z0-9][A-Z0-9\-]*\.)+[A-Z]{2,}$/i
+ )This regular expression is taken from the suggested patch of zod.
References
References
Impact
API servers running
express-zod-apihaving:express-zod-apibelow10.0.0-beta1,z.string().email(),are vulnerable to a DoS attack due to:
zodversions up to3.22.2,zod.Patches
The patched version of
zodfixing the vulnerability is3.22.3.However, it's highly recommended to upgrade
express-zod-apito at least version10.0.0, which does not depend onzodstrictly and directly, but requires its installation as a peer dependency instead, enabling you to install the patchedzodversion yourself.Workarounds
When it's not possible to upgrade your dependencies, consider the following replacement in your implementation:
This regular expression is taken from the suggested patch of
zod.References
express-zod-apiversion10.0.0-beta1: https://github.com/RobinTail/express-zod-api/blob/master/CHANGELOG.md#v1000-beta1References