CVE-2023-4316
Denial of service vulnerability in zod (npm)
What is CVE-2023-4316 About?
This vulnerability in Zod version 3.22.2 allows an attacker to perform a denial of service while validating emails. Its impact is a temporary unavailability of the application due to excessive resource consumption. Exploiting this is likely easy by crafting a specific email string.
Affected Software
Technical Details
The denial-of-service vulnerability in Zod version 3.22.2 specifically affects its email validation mechanism. While the exact regex or parsing logic that leads to the issue isn't detailed, it is a common pattern in regex-based validators where a specially crafted input string can cause the regex engine to backtrack excessively. This 'catastrophic backtracking' consumes a disproportionate amount of CPU time and memory, locking up the process that is performing the validation. An attacker can craft a malicious email string that triggers this worst-case performance scenario, causing the JavaScript runtime to become unresponsive during validation, thus leading to a denial-of-service condition for the application.
What is the Impact of CVE-2023-4316?
Successful exploitation may allow attackers to make the application unresponsive or crash it, leading to a denial-of-service condition.
What is the Exploitability of CVE-2023-4316?
Exploitation complexity is likely low, requiring only the ability to supply a malicious email string to the application's Zod-based email validator. No specific authentication or privilege is needed; any input field validating email addresses could be a vector. Access can be remote, as long as the application exposes an endpoint where user-controlled input (like an email address) is validated by Zod. The risk factor is elevated in web applications or APIs that validate email addresses from untrusted users using affected Zod versions.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-4316?
About the Fix from Resolved Security
Available Upgrade Options
- zod
- <3.22.3 → Upgrade to 3.22.3
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/colinhacks/zod/pull/2824
- https://github.com/colinhacks/zod
- https://www.npmjs.com/package/zod
- https://fluidattacks.com/advisories/swift
- https://osv.dev/vulnerability/GHSA-m95q-7qp3-xv42
- https://github.com/colinhacks/zod/commit/2ba00fe2377f4d53947a84b8cdb314a63bbd6dd4
- https://www.npmjs.com/package/zod
- https://nvd.nist.gov/vuln/detail/CVE-2023-4316
- https://github.com/colinhacks/zod/releases/tag/v3.22.3
- https://github.com/colinhacks/zod/issues/2609
What are Similar Vulnerabilities to CVE-2023-4316?
Similar Vulnerabilities: CVE-2023-34453 , CVE-2023-3635 , CVE-2022-42889 , CVE-2021-42392 , CVE-2020-15168
