Authorization Flaw in Zulip Allows Unauthorized Export Deletions
CVE-2025-30368

2.7LOW

Key Information:

Vendor

Zulip

Status
Zulip
Vendor
CVE Published:
31 March 2025

What is CVE-2025-30368?

An authorization flaw exists in Zulip, an open-source team collaboration tool, where the API responsible for deleting organization exports does not properly verify the user's organization affiliation. This oversight allows any administrator to delete exports from other organizations, potentially leading to data breaches and unauthorized access. This vulnerability has been addressed in Zulip Server version 10.1.

Affected Version(s)

zulip >= 10.0-beta1, < 10.1

References

https://github.com/zulip/zulip/security/advisories/GHSA-r...
x_refsource_CONFIRM
https://github.com/zulip/zulip/commit/07dcee36b2a34d63429...
x_refsource_MISC
https://zulip.readthedocs.io/en/latest/overview/changelog...
x_refsource_MISC

CVSS V3.1

Score:
2.7
Severity:
LOW
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.