CVE-2022-36048

Name of the Vulnerable Software and Affected Versions Zulip Server versions prior to 5.6

Description The issue arises when displaying messages with embedded remote images. Normally, Zulip loads the image preview via a go-camo proxy server. However, an attacker who can send messages could include a crafted URL that tricks the server into embedding a remote image reference directly. This could allow the attacker to infer the viewer’s IP address and browser fingerprinting information.

Recommendations For versions prior to 5.6, update to Zulip Server 5.6 to resolve the issue. As a temporary workaround, consider disabling image and link previews to minimize the risk of exploitation.