CVE-2025-27149

Name of the Vulnerable Software and Affected Versions Zulip versions prior to 10.0

Description The data export feature to organization administrators in Zulip leaks private data. This includes the collection of user-agent types identifying specific integrations or HTTP libraries, such as ZulipGitlabWebhook, okhttp, or PycURL, that have been used to access any organization on the server. The "public data" and "with consent" exports contain metadata, including the titles of some topics in private channels, which the administrator otherwise did not have access to. Additionally, the exports include metadata for which users were in a group DM together, without the users' consent.

Recommendations For versions prior to 10.0, update to version 10.0 to resolve the issue. As a temporary workaround, consider restricting access to the data export feature to minimize the risk of private data leakage. Avoid using the data export feature until the issue is resolved.