Gửi #796749: colinhacks Zod <=4.3.6 Improper Input Validationthông tin

tiêu đề	colinhacks Zod <=4.3.6 Improper Input Validation
Mô tả	### Summary Zod provides functionality to validate data input, primarily from users, and thousands of websites rely on its validation. The CUID data type should only allow alphanumeric characters. Even though CUID is now considered obsolete and the standard recommendation is to use CUID2, Zod should still prevent unsafe characters such as `{} ' ; < >`, which can lead to XSS, SQL Injection, or Command Injection. ### Details This is the vulnerable regex line: https://github.com/colinhacks/zod/blob/c7805073fef5b6b8857307c3d4b3597a70613bc2/packages/zod/src/v4/core/regexes.ts#L3 ### PoC XSS exploiting the trust of CUID input. ```javascript const express = require('express'); const { z, ZodError } = require('zod'); const app = express(); const PORT = 3000; const CuidSchema = z.object({ id: z.cuid('The provided ID is not a valid CUID.').min(1, 'The ID parameter is required.'), }); const validateCuid = (req, res, next) => { try { const validatedData = CuidSchema.parse(req.query); req.validatedQuery = validatedData; next(); } catch (error) { if (error instanceof ZodError) { return res.status(400).json({ status: 'error', message: 'Input validation failed.', errors: error.issues.map(issue => ({ path: issue.path.join('.'), message: issue.message })) }); } return res.status(500).json({ status: 'error', message: 'Internal server error.' }); } }; app.get('/item', validateCuid, (req, res) => { const validCuid = req.validatedQuery.id; res.status(200).send(` <!DOCTYPE html> <html lang="en"> <body> <h1>Valid CUID Received</h1> <p>The provided CUID is: <strong>${validCuid}</strong></p> </body> </html> `); }); app.listen(PORT, () => { console.log(`Server running at http://localhost:${PORT}`); console.log(`Test a valid route: http://localhost:${PORT}/item?id=ck0a79p0000002p572b1v2s8v`); console.log(`Test an invalid route: http://localhost:${PORT}/item?id=c%3Cstrong%3E%3Cimg/src=%221%22onerror=alert(1)%3Ek0a79p0000002p572b1v2s8v`); }); ``` <img width="1633" height="241" alt="image" src="https://github.com/user-attachments/assets/f36c40ca-e992-4642-94b8-6810f7fe8eed" /> ### Impact Improper input validation is a critical security flaw that can lead to severe vulnerabilities like Cross-Site Scripting (XSS), SQL Injection (SQLi), and Remote Code Execution (RCE). This makes it extremely critical that input be strictly limited to alphanumeric characters whenever possible. By enforcing this restriction, you prevent malicious characters (like quotes, angle brackets, or semicolons) from being processed by the system's runtime, database, or browser, effectively mitigating these injection risks.
Người dùng	dsonbacker (UID 46970)
Đệ trình	03/04/2026 23:54 (cách đây 24 ngày)
Kiểm duyệt	24/04/2026 21:38 (21 days later)
Trạng thái	được chấp nhận
Mục VulDB	359543 [colinhacks Zod đến 4.3.6 CUID Data Type regexes.ts Tiêm SQL]
điểm	17

◂ Trước Tổng Quan Tiếp theo ▸

Want to stay up to date on a daily basis?

Enable the mail alert feature now!