提交 #796749: colinhacks Zod <=4.3.6 Improper Input Validation信息

标题	colinhacks Zod <=4.3.6 Improper Input Validation
描述	### Summary Zod provides functionality to validate data input, primarily from users, and thousands of websites rely on its validation. The CUID data type should only allow alphanumeric characters. Even though CUID is now considered obsolete and the standard recommendation is to use CUID2, Zod should still prevent unsafe characters such as `{} ' ; < >`, which can lead to XSS, SQL Injection, or Command Injection. ### Details This is the vulnerable regex line: https://github.com/colinhacks/zod/blob/c7805073fef5b6b8857307c3d4b3597a70613bc2/packages/zod/src/v4/core/regexes.ts#L3 ### PoC XSS exploiting the trust of CUID input. ```javascript const express = require('express'); const { z, ZodError } = require('zod'); const app = express(); const PORT = 3000; const CuidSchema = z.object({ id: z.cuid('The provided ID is not a valid CUID.').min(1, 'The ID parameter is required.'), }); const validateCuid = (req, res, next) => { try { const validatedData = CuidSchema.parse(req.query); req.validatedQuery = validatedData; next(); } catch (error) { if (error instanceof ZodError) { return res.status(400).json({ status: 'error', message: 'Input validation failed.', errors: error.issues.map(issue => ({ path: issue.path.join('.'), message: issue.message })) }); } return res.status(500).json({ status: 'error', message: 'Internal server error.' }); } }; app.get('/item', validateCuid, (req, res) => { const validCuid = req.validatedQuery.id; res.status(200).send(` <!DOCTYPE html> <html lang="en"> <body> <h1>Valid CUID Received</h1> <p>The provided CUID is: <strong>${validCuid}</strong></p> </body> </html> `); }); app.listen(PORT, () => { console.log(`Server running at http://localhost:${PORT}`); console.log(`Test a valid route: http://localhost:${PORT}/item?id=ck0a79p0000002p572b1v2s8v`); console.log(`Test an invalid route: http://localhost:${PORT}/item?id=c%3Cstrong%3E%3Cimg/src=%221%22onerror=alert(1)%3Ek0a79p0000002p572b1v2s8v`); }); ``` <img width="1633" height="241" alt="image" src="https://github.com/user-attachments/assets/f36c40ca-e992-4642-94b8-6810f7fe8eed" /> ### Impact Improper input validation is a critical security flaw that can lead to severe vulnerabilities like Cross-Site Scripting (XSS), SQL Injection (SQLi), and Remote Code Execution (RCE). This makes it extremely critical that input be strictly limited to alphanumeric characters whenever possible. By enforcing this restriction, you prevent malicious characters (like quotes, angle brackets, or semicolons) from being processed by the system's runtime, database, or browser, effectively mitigating these injection risks.
用户	dsonbacker (UID 46970)
提交	2026-04-03 23時54分 (22 日前)
管理	2026-04-24 21時38分 (21 days later)
状态	已接受
VulDB条目	359543 [colinhacks Zod 直到 4.3.6 CUID Data Type regexes.ts SQL注入]
积分	17

◂ 上一步一览下一步 ▸

Interested in the pricing of exploits?

See the underground prices here!