GHSA-MVRP-3CVX-C325
Vulnerability from github – Published: 2023-10-04 14:46 – Updated: 2023-10-04 14:46
VLAI
Summary
Zod denial of service vulnerability during email validation
Details
Impact
API servers running express-zod-api having:
- version of
express-zod-apibelow10.0.0-beta1, - and using the following (or similar) validation schema in its implementation:
z.string().email(),
are vulnerable to a DoS attack due to:
- Inefficient Regular Expression Complexity in
zodversions up to3.22.2, - depending on
zod.
Patches
The patched version of zod fixing the vulnerability is 3.22.3.
However, it's highly recommended to upgrade express-zod-api to at least version 10.0.0, which does not depend on zod strictly and directly, but requires its installation as a peer dependency instead, enabling you to install the patched zod version yourself.
Workarounds
When it's not possible to upgrade your dependencies, consider the following replacement in your implementation:
- z.string().email()
+ z.string().regex(
+ /^(?!\.)(?!.*\.\.)([A-Z0-9_+-\.]*)[A-Z0-9_+-]@([A-Z0-9][A-Z0-9\-]*\.)+[A-Z]{2,}$/i
+ )
This regular expression is taken from the suggested patch of zod.
References
- Original issue: https://github.com/colinhacks/zod/issues/2609
- The patch: https://github.com/colinhacks/zod/pull/2824
- Entry in database: https://nvd.nist.gov/vuln/detail/CVE-2023-4316
- Enumeration: https://cwe.mitre.org/data/definitions/1333.html
- Parent advisory: https://github.com/advisories/GHSA-m95q-7qp3-xv42
- Changelog entry for
express-zod-apiversion10.0.0-beta1: https://github.com/RobinTail/express-zod-api/blob/master/CHANGELOG.md#v1000-beta1
Severity
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "express-zod-api"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "10.0.0-beta1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-04T14:46:06Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nAPI servers running `express-zod-api` having:\n\n- version of `express-zod-api` below `10.0.0-beta1`,\n- and using the following (or similar) validation schema in its implementation: `z.string().email()`,\n\nare vulnerable to a DoS attack due to: \n\n- Inefficient Regular Expression Complexity in `zod` versions up to `3.22.2`,\n- depending on `zod`.\n\n### Patches\n\nThe patched version of `zod` fixing the vulnerability is `3.22.3`.\n\nHowever, it\u0027s highly recommended to upgrade `express-zod-api` to at least version `10.0.0`, which does not depend on `zod` strictly and directly, but requires its installation as a peer dependency instead, enabling you to install the patched `zod` version yourself.\n\n### Workarounds\n\nWhen it\u0027s not possible to upgrade your dependencies, consider the following replacement in your implementation:\n\n```diff\n- z.string().email()\n+ z.string().regex(\n+ /^(?!\\.)(?!.*\\.\\.)([A-Z0-9_+-\\.]*)[A-Z0-9_+-]@([A-Z0-9][A-Z0-9\\-]*\\.)+[A-Z]{2,}$/i\n+ )\n```\n\nThis regular expression is taken from the suggested patch of `zod`.\n\n### References\n\n- Original issue: https://github.com/colinhacks/zod/issues/2609\n- The patch: https://github.com/colinhacks/zod/pull/2824\n- Entry in database: https://nvd.nist.gov/vuln/detail/CVE-2023-4316\n- Enumeration: https://cwe.mitre.org/data/definitions/1333.html\n- Parent advisory: https://github.com/advisories/GHSA-m95q-7qp3-xv42\n- Changelog entry for `express-zod-api` version `10.0.0-beta1`: https://github.com/RobinTail/express-zod-api/blob/master/CHANGELOG.md#v1000-beta1",
"id": "GHSA-mvrp-3cvx-c325",
"modified": "2023-10-04T14:46:06Z",
"published": "2023-10-04T14:46:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/RobinTail/express-zod-api/security/advisories/GHSA-mvrp-3cvx-c325"
},
{
"type": "WEB",
"url": "https://github.com/colinhacks/zod/issues/2609"
},
{
"type": "WEB",
"url": "https://github.com/colinhacks/zod/pull/2824"
},
{
"type": "PACKAGE",
"url": "https://github.com/RobinTail/express-zod-api"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-m95q-7qp3-xv42"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Zod denial of service vulnerability during email validation"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…