CVE-2022-31017

Name of the Vulnerable Software and Affected Versions Zulip versions 2.1.0 through 5.2

Description The issue is related to a logic error in Zulip, an open-source team collaboration tool. When a stream configured as private with protected history is edited, the server incorrectly sends an API event that includes the edited message to all of the stream’s current subscribers. This API event is ignored by official clients but can be observed using a modified client or the browser’s developer tools.

Recommendations For versions 2.1.0 through 5.2, update to Zulip Server 5.3 to resolve the issue. As a temporary workaround, consider restricting access to edited streams to minimize the risk of exploitation.