CVE-2025-30368 LOW

CVE-2025-30368: Zulip allows the deletion of organization by administrators of a different organization

Vendor Zulip
Product zulip
Weakness CWE-566
Published March 31, 2025
Last update March 31, 2025

CVSS base score

2.7/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

Zulip is an open-source team collaboration tool. The API for deleting an organization export is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of any organization was incorrectly allowed to delete an export of a different organization. This is fixed in Zulip Server 10.1.

Key dates

02Disclosure timeline

March 31, 2025 CVE published
March 31, 2025 Record updated