Colinhacks Zod CUID Data Type SQL Injection Vulnerability

A SQL injection vulnerability has been identified in colinhacks Zod versions through 4.3.6. The issue arises in the CUID Data Type Handler, specifically within an unknown function of the file packages/zod/src/v4/core/regexes.ts. This vulnerability allows for remote exploitation and has been publicly disclosed.

Impact

Exploitation of this vulnerability allows for SQL injection, where an attacker can manipulate SQL queries to the database. This could lead to unauthorized data access, data manipulation, or in some cases, executing administrative operations on the database.

Reproduction

To reproduce this vulnerability, use a version of colinhacks Zod prior to 4.3.6. Create a schema that includes a CUID field. When the schema is parsed, the validation process will incorrectly allow unsafe characters, such as quotes and angle brackets, which can then be exploited to perform SQL injection.