Zod 3.22.2 - Regular expression Denial of Service

Summary

NameZod 3.22.2 - Regular expression Denial of Service
Code name
ProductZod
Affected versionsVersion 3.22.2
StatePublic
Release date2023-09-28

Vulnerability

KindAsymmetric denial of service - ReDoS
Rule
RemoteYes
CVSSv3.1 VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSSv3.1 Base Score7.5
Exploit availableYes
CVE ID(s)

Description

Zod in version 3.22.2 allows an attacker to perform a denial of service while validating emails

Vulnerability

Zod performs validations to determine if a string belongs to a valid email, the validations use of a vulnerable regular expression that allows an attacker to send a malicious string of data to generate excessive processing overhead and ultimately crash the server. It was identified that by sending a string of data of a predetermined length and increasing the number of characters, the time it takes for the application to process the request grows exponentially.

Exploitation

The application uses the following vulnerable regular expression:

^([A-Z0-9_+-]+\.?)*[A-Z0-9_+-]@([A-Z0-9][A-Z0-9\-]*\.)+[A-Z]{2,}$

First we create a scheme to validate emails:

export const validateSchema = (schema) => (req, res, next) =>{ try { if(req.query.email){ schema.parse(req.query) }else{ schema.parse(req.body) } next() } catch (error) { return res .status(400) .json({error: error.errors.map((error) => error.message)})
    }
}


export const pdfGeneratorSchema = z.object({
    email: z.string({
        required_error: "Email is required"
    }).email({message: "Invalid email"})
})

And perform validation:

router.get('/api/customer/export',  validateSchema(pdfGeneratorSchema), authorized, exportData);

Evidence of exploitation

First we send invalid information and we can see that the validation done by Zod works correctly, but when we increase the number of characters in the request for the invalid data, we can see that the processing time increases until the server stops responding.

Our security policy

We have reserved the ID CVE-2023-4316 to refer to this issue from now on.

System Information

  • Version: Zod 3.22.2

  • Operating System: GNU/Linux

Mitigation

There is currently no patch available for this vulnerability.

Credits

The vulnerability was discovered by Diana Osorio from Fluid Attacks' Offensive Team.

References

Vendor page https://zod.dev/

Timeline

Time-lapse-logo

2023-09-18

Vulnerability discovered.

Time-lapse-logo

2023-09-19

Vendor contacted.

Time-lapse-logo

2023-09-28

Public Disclosure.

Fluid Logo Footer

Hacking software for over 20 years

Fluid Attacks tests applications and other systems, covering all software development stages. Our team assists clients in quickly identifying and managing vulnerabilities to reduce the risk of incidents and deploy secure technology.

Copyright © 0 Fluid Attacks. We hack your software. All rights reserved.