Impact
API servers running express-zod-api
having:
- version of
express-zod-api
below 10.0.0-beta1
,
- and using the following (or similar) validation schema in its implementation:
z.string().email()
,
are vulnerable to a DoS attack due to:
- Inefficient Regular Expression Complexity in
zod
versions up to 3.22.2
,
- depending on
zod
.
Patches
The patched version of zod
fixing the vulnerability is 3.22.3
.
However, it's highly recommended to upgrade express-zod-api
to at least version 10.0.0
, which does not depend on zod
strictly and directly, but requires its installation as a peer dependency instead, enabling you to install the patched zod
version yourself.
Workarounds
When it's not possible to upgrade your dependencies, consider the following replacement in your implementation:
- z.string().email()
+ z.string().regex(
+ /^(?!\.)(?!.*\.\.)([A-Z0-9_+-\.]*)[A-Z0-9_+-]@([A-Z0-9][A-Z0-9\-]*\.)+[A-Z]{2,}$/i
+ )
This regular expression is taken from the suggested patch of zod
.
References
Impact
API servers running
express-zod-api
having:express-zod-api
below10.0.0-beta1
,z.string().email()
,are vulnerable to a DoS attack due to:
zod
versions up to3.22.2
,zod
.Patches
The patched version of
zod
fixing the vulnerability is3.22.3
.However, it's highly recommended to upgrade
express-zod-api
to at least version10.0.0
, which does not depend onzod
strictly and directly, but requires its installation as a peer dependency instead, enabling you to install the patchedzod
version yourself.Workarounds
When it's not possible to upgrade your dependencies, consider the following replacement in your implementation:
This regular expression is taken from the suggested patch of
zod
.References
express-zod-api
version10.0.0-beta1
: https://github.com/RobinTail/express-zod-api/blob/master/CHANGELOG.md#v1000-beta1