Zulip Server Data Export Vulnerability Prior to 10.0 Allows Unintended Private Data Leakage

Vulnerability

A vulnerability in Zulip Server's data export feature for organization administrators, present in versions 2.1.0 through prior to 10.0, unintentionally exposes private data. The issue arises from the incorrect inclusion of user-agent information from various integrations and HTTP libraries in all export types. Additionally, the 'public data' and 'with consent' exports may contain metadata from private channels and group DMs that administrators should not access. This flaw has existed since Zulip Server 2.1.0.

Impact

This vulnerability could lead to unauthorized access to private metadata and user-agent information, potentially revealing details about integrations used within the organization.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

4.3

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

4.3

remediation

7.7

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Zulip Server Data Export Vulnerability Prior to 10.0 Allows Unintended Private Data Leakage

Vulnerability

Impact

Affected Products

Zulip Server

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating