CVE-2021-41115

Name of the Vulnerable Software and Affected Versions Zulip versions prior to 4.7

Description Zulip is an open source team chat server that allows organization administrators to configure linkifiers, which automatically create links from messages sent by users, detected via arbitrary regular expressions. Malicious organization administrators could subject the server to a denial-of-service via regular expression complexity attacks by configuring a quadratic-time regular expression in a linkifier and sending messages that exploited it. The regular expression attempted to parse user-provided regexes to verify they were safe from ReDoS, but this was insufficient and itself subject to ReDoS if the organization administrator entered a sufficiently complex invalid regex.

Recommendations For versions prior to 4.7, upgrade to the just-released Zulip 4.7 or switch to the main branch to resolve the issue. As a temporary workaround, consider restricting the ability of organization administrators to configure linkifiers until the upgrade is applied.