Zod 3.22.2 - Regular expression Denial of Service
Summary
| Name | Zod 3.22.2 - Regular expression Denial of Service |
| Code name | |
| Product | Zod |
| Affected versions | Version 3.22.2 |
| State | Public |
| Release date | 2023-09-28 |
Vulnerability
| Kind | Asymmetric denial of service - ReDoS |
| Rule | |
| Remote | Yes |
| CVSSv3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CVSSv3.1 Base Score | 7.5 |
| Exploit available | Yes |
| CVE ID(s) |
Description
Zod in version 3.22.2 allows an attacker to perform a denial of service while validating emails
Vulnerability
Zod performs validations to determine if a string belongs to a valid email, the validations use of a vulnerable regular expression that allows an attacker to send a malicious string of data to generate excessive processing overhead and ultimately crash the server. It was identified that by sending a string of data of a predetermined length and increasing the number of characters, the time it takes for the application to process the request grows exponentially.
Exploitation
The application uses the following vulnerable regular expression:
^([A-Z0-9_+-]+\.?)*[A-Z0-9_+-]@([A-Z0-9][A-Z0-9\-]*\.)+[A-Z]{2,}$
First we create a scheme to validate emails:
export const validateSchema = (schema) => (req, res, next) =>{ try { if(req.query.email){ schema.parse(req.query) }else{ schema.parse(req.body) } next() } catch (error) { return res .status(400) .json({error: error.errors.map((error) => error.message)})
}
}
export const pdfGeneratorSchema = z.object({
email: z.string({
required_error: "Email is required"
}).email({message: "Invalid email"})
})
And perform validation:
router.get('/api/customer/export', validateSchema(pdfGeneratorSchema), authorized, exportData);
Evidence of exploitation
First we send invalid information and we can see that the validation done by Zod works correctly, but when we increase the number of characters in the request for the invalid data, we can see that the processing time increases until the server stops responding.
Our security policy
We have reserved the ID CVE-2023-4316 to refer to this issue from now on.
System Information
-
Version: Zod 3.22.2
-
Operating System: GNU/Linux
Mitigation
There is currently no patch available for this vulnerability.
Credits
The vulnerability was discovered by Diana Osorio from Fluid Attacks' Offensive Team.
References
Vendor page https://zod.dev/
Timeline
2023-09-18
Vulnerability discovered.
2023-09-19
Vendor contacted.
2023-09-28
Public Disclosure.
