GHSA-mvrp-3cvx-c325: 
JavaScript vulnerability analysis and mitigation

A denial of service (DoS) vulnerability was discovered in express-zod-api versions below 10.0.0-beta1, identified as GHSA-mvrp-3cvx-c325. The vulnerability stems from an inefficient regular expression complexity in zod versions up to 3.22.2 during email validation when using the z.string().email() validation schema (GitHub Advisory).

The vulnerability is caused by catastrophic backtracking in the email validation regex, specifically in the pattern ([A-Z0-9_+-]+.?)*. This results in exponential execution time increases for failed matches, leading to potential denial of service attacks. The vulnerability has a CVSS score of 7.5 (High severity) with attack vector: Network, attack complexity: Low, privileges required: None, user interaction: None, scope: Unchanged, and high availability impact (GitHub Advisory).

When exploited, this vulnerability can cause API servers running express-zod-api to experience denial of service conditions during email validation attempts. The impact primarily affects the availability of the service, with no direct effect on confidentiality or integrity (GitHub Advisory).

The recommended mitigation is to upgrade express-zod-api to version 10.0.0 or later, which handles zod as a peer dependency. Alternatively, users can replace z.string().email() with a custom regex pattern: z.string().regex(/^(?!.)(?!...)[A-Z0-9+-.]*[A-Z0-9+-]@([A-Z0-9][A-Z0-9\-].)+[A-Z]{2,}$/i) (GitHub Advisory).