According to the vulnerability test in
https://securityblog.redhat.com/2014/09/24/bash-specially-crafted-environment-variables-code-injection-attack/

[~]> echo $ZSH_VERSION
5.0.6

[~]> env x='() { :;}; echo vulnerable' bash -c "echo this is a test"
vulnerable
this is a test

Looks like zsh is vulnerable too.

Regards.