Cross-Site Scripting Vulnerability in Zulip Server by Zulip
CVE-2025-52559

6.8MEDIUM

Key Information:

Vendor

Zulip

Status
Zulip
Vendor
CVE Published:
2 July 2025

What is CVE-2025-52559?

The Zulip Server, an open-source team chat application, has a vulnerability in its /digest/ URL which can expose users to Cross-Site Scripting (XSS) attacks via manipulated topic and channel names. Although this endpoint only previews the email weekly digest, the potential for XSS makes it a significant concern for server security. The issue affects all versions from 2.0.0-rc1 up to but not including 10.4. A fix was implemented in Zulip Server 10.4, and as a temporary solution, it is recommended to restrict access to the /digest/ URL to mitigate the risk.

Affected Version(s)

zulip >= 2.0.0-rc1, < 10.4

References

https://github.com/zulip/zulip/security/advisories/GHSA-v...
x_refsource_CONFIRM
https://github.com/zulip/zulip/commit/175ec1f365b0db982d6...
x_refsource_MISC
https://github.com/zulip/zulip/commit/1a8429e338ff53bdcc4...
x_refsource_MISC

CVSS V3.1

Score:
6.8
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.