Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
A vulnerability was determined in colinhacks Zod up to 4.3.6. The impacted element is an unknown function of the file packages/zod/src/v4/core/regexes.ts of the component CUID Data Type Handler. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
SQL injection vulnerability in Zod CUID Data Type Handler affects versions up to 4.3.6, allowing authenticated remote attackers to manipulate input validation logic in the regex component and execute arbitrary SQL queries. The vulnerability has been publicly disclosed with proof-of-concept code available; the vendor was contacted early but provided no response, and no patch has been issued as of analysis time.
Technical ContextAI
Zod is a TypeScript-first schema validation library. The vulnerability exists in the CUID Data Type Handler component, specifically in the regex validation logic located in packages/zod/src/v4/core/regexes.ts. CWE-89 (SQL Injection) indicates that the regex-based validation fails to properly sanitize or escape input before it is used in SQL contexts. This suggests the vulnerability arises when Zod schemas are used to validate data that is subsequently passed to database queries without additional sanitization, or the regex pattern itself can be manipulated to bypass validation checks intended to prevent SQL metacharacters.
RemediationAI
Upgrade to a patched version of Zod greater than 4.3.6 if available from the vendor repository. As of analysis time, no official patched version has been confirmed by the vendor (colinhacks did not respond to early disclosure). As a workaround, do NOT pass Zod-validated CUID values directly into SQL queries - always re-validate, escape, or use parameterized queries with bound variables. Review all code paths where Zod CUID validation output feeds into database operations and implement SQL parameterization (prepared statements) as a compensating control. This adds a small performance overhead but eliminates SQL injection risk regardless of validation bypass. Monitor the Zod GitHub repository and npm package for security updates. Consider forking or pinning to a specific version with manual review if upgrading is not immediately feasible, but this is not a long-term solution.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25667