Zod email validation blocks the main thread in version 3.22.2

[SpongeBed81]

Here is the version 3.21.4 of Zod:

zod-3.21.4.mp4

And here is the version 3.22.2:

zod-3.22.2.mp4

here is the demo code:

<script>
    import { z } from 'zod';

    let emailVal = '';

    let success;
    let counter = 0;

    $: {
        success = z.string().email().safeParse(emailVal).success;
        counter++;
    }
</script>

<input type="text" bind:value={emailVal} />
<p>success: {success} | {counter}</p>

and I also tried something like this:

<script>
    import { z } from 'zod';
    import { onMount } from 'svelte';

    onMount(() => {
        console.log(z.string().email().safeParse('a'.repeat(50)).success);
    });
</script>

Both of them blocks the main thread and the second code doesn't even let me to see the page.

When I opened the performance tab in devtools I noticed it is doubling the time it takes the complete the task every time when I enter a new character to the input.

task	time
1	10ms
2	19.33ms
3	38.42ms
4	75.17ms
5	151ms
6	299.96ms
7	598.56ms
8	1.21s

[JulienZD]

It's vulnerable to ReDoS attacks, as also mentioned in this issue. The linked issue contains a workaround by manually defining a zod string with a regex to parse the email address.

[SpongeBed81]

It's vulnerable to ReDoS attacks, as also mentioned in this issue. The linked issue contains a workaround by manually defining a zod string with a regex to parse the email address.

Thanks for your reply. I noticed both of the versions are problematic. In version 3.22.2 it blocks the main thread if you do what I did in the provided video. But in 3.21.4 if you type "noreply1@1-90y790o645vz81zq6287dhb9x1x28ab4q521nuv7b1og4y9c3q.5r-h8uter0.sc016.case.sandbox.salesforce.com" it will also block the main thread. This email is provided in issue #2580 . Currently I am converting z.email()'s to a regex one as you mentioned.

Currently both versions looks problematic and I didn't find any better way without using a regex.

[MrKoopie]

We can reproduce this error as well. Downgrading to 3.21.4 fixed it for us.

[MacsDickinson]

have a PR in for #2609 which should resolve this - #2824

[SpongeBed81]

have a PR in for #2609 which should resolve this - #2824

Thanks for your contribution. I will wait for your PR to get merged 😄

[SpongeBed81]

We can reproduce this error as well. Downgrading to 3.21.4 fixed it for us.

It fixes the bug in the latest version but version 3.21.4 also has a bug that also blocks the main thread as I said. So, be careful 😉

[taos15]

Does that PR address this NVD ?

[SpongeBed81]

Does that PR address this NVD ?

Yes

[colinhacks]

Fixed by #2824

Landed in Zod v3.22.3