TL;DR Zod's .refine() executes on every input — even when earlier validators like .min() and .max() have already failed. If you place an expensive operation such as a database query inside .refine() , an attacker can trigger that query with every request, including requests containing completely invalid inputs that would never pass validation. Flood enough of those requests concurrently and the server goes down. The fix is one line away — validate first, query after — but only if you know the behavior exists. Introduction Zod is one of the most widely adopted TypeScript validation libraries. If you are building a Next.js API route, a tRPC endpoint, or a server action, Zod is likely involved in your validation layer. It is trusted precisely because it makes validation straightforward — define a schema once, validate everywhere. That trust makes this behavioral edge case more dangerous than it would be in a less-used library. Developers assume that if .min() or .max() rejects an input, Zod stops there.…