Zod 3.22.2 - Regular expression Denial of Service

Description

Zod in version 3.22.2 allows an attacker to perform a denial of service while validating emails

Vulnerability

Zod performs validations to determine if a string belongs to a valid email, the validations use of a vulnerable regular expression that allows an attacker to send a malicious string of data to generate excessive processing overhead and ultimately crash the server. It was identified that by sending a string of data of a predetermined length and increasing the number of characters, the time it takes for the application to process the request grows exponentially.

Exploitation

The application uses the following vulnerable regular expression:

^([A-Z0-9_+-]+\.?)*[A-Z0-9_+-]@([A-Z0-9][A-Z0-9\-]*\.)+[A-Z]

First we create a scheme to validate emails:

export const validateSchema = (schema) => (req, res, next) =>{
 try {
 if(req.query.email){
 schema.parse(req.query)
 }else{
 schema.parse(req.body)
 }
 next()
 } catch (error) {
 return res
 .status(400)
 .json({error: error.errors.map((error) => error.message)})
    }
}


export const pdfGeneratorSchema = z.object({
    email: z.string({
        required_error: "Email is required"
    }).email({message: "Invalid email"})
})

And perform validation:

router.get('/api/customer/export',  validateSchema(pdfGeneratorSchema), authorized, exportData);

Evidence of exploitation

First we send invalid information and we can see that the validation done by Zod works correctly, but when we increase the number of characters in the request for the invalid data, we can see that the processing time increases until the server stops responding.

Our security policy

We have reserved the ID CVE-2023-4316 to refer to this issue from now on. Disclosure policy

System Information

• Version: Zod 3.22.2

• Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

References

• Vendor page https://zod.dev/