Does the Shellshock bug affect ZSH?

No, it doesn't affect ZSH.

You still MUST update bash as most of the system scripts are written for bash and vulnerable to the shellshock bug.

To test your ZSH do this:

env x='() { :;}; echo vulnerable' zsh -c 'echo hello'

What exactly does this code do?

  1. env x='() { :;}; echo vulnerable' creates an environment variable with known bug using command in the end of variable
  2. zsh -c 'echo hello' launches ZSH shell with simple hello (and evaluating all env variables including x)

If you see output:

vulnerable
hello

Then your ZSH is vulnerable. Mine (5.0.2) is not:

$ env x='() { :;}; echo vulnerable' zsh -c 'echo hello'
hello

From this link:

You can determine if you are vulnerable to the original problem in CVE-2014-6271 by executing this test:

env x='() { :;}; echo vulnerable' bash -c 'echo hello'

If you see the word vulnerable in the output of that command your bash is vulnerable and you should update. Below is a vulnerable version from OS X 10.8.5:

env x='() { :;}; echo vulnerable' bash -c 'echo hello'
vulnerable
hello

The following output is an example of a non-vulnerable bash version.

$ env x='() { :;}; echo vulnerable' bash -c 'echo hello'
bash: warning: x: ignoring function definition attempt
bash: error importing function definition for `x'
hello

The binary is not affected

It does not affect zsh as the shell executable, because it's source code never contained the error.
There are many similaritys between bash and zsh, but they werer implemented independent from each other. The same feature is implemented in two different ways, and - more important in this context - usually with different errors.

But the interactive use is

Indirectly it does affect working interactively with the zsh shell in a terminal almost as much as working with bash.

The use of bash is just so common that one can hardly avoid to call it.

Too many uses to avoid

  • scripts you know and expect to use zsh, but actually contain bash.
  • lots of shell scripts that use #!/bin/bash to specify bash as the interpreter.
  • lots of commands that you assume are binaries, but are shell scripts, some of them using bash.

  • in many places where a shell is executed explicitly, bash may be used, and possibly required.

    • like complex xargs commands, or git aliases involving arguments
    • default shells of terminal emulators
    • shell of users you sudo to
    • etc.