Access Control Flaw in Zulip Team Chat Application
CVE-2025-47930

5.3MEDIUM

Key Information:

Vendor

Zulip

Status
Zulip
Vendor
CVE Published:
16 May 2025

What is CVE-2025-47930?

The Zulip team chat application features a serious access control flaw that allows unauthorized users to create public channels without permission. This vulnerability manifests in versions 10.0 to 10.2, where users can initially create a private or web-public channel and later change its privacy setting to public, thus circumventing intended access controls. A related process also exists for creating private channels inappropriately, although this method requires the use of API or direct HTML manipulation due to UI restrictions. A patch has been released in version 10.3 to address this critical issue.

Affected Version(s)

zulip >= 10.0, < 10.3

References

https://github.com/zulip/zulip/security/advisories/GHSA-r...
x_refsource_CONFIRM
https://github.com/zulip/zulip/commit/d2ff4bda4c3efa30fc3...
x_refsource_MISC
https://zulip.com/help/configure-who-can-create-channels
x_refsource_MISC

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

.