PT-2025-13805 · Unknown · Zulip Server

Published

2025-03-31

Updated

2025-08-27

CVE-2025-30368

CVSS v3.1

2.7

Low

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Zulip Server versions prior to 10.1

Description The issue concerns the API for deleting an organization export in Zulip, an open-source team collaboration tool. The API handler failed to check if the field belongs to the same organization as the user, allowing an administrator of any organization to delete an export of a different organization.

Recommendations For versions prior to 10.1, update to Zulip Server 10.1 to resolve the issue. As a temporary workaround, consider restricting access to the API endpoint for deleting an organization export to prevent unauthorized deletion of exports.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-566

Related Identifiers

CVE-2025-30368

GHSA-RMHR-5FFQ-QCRC

Affected Products

Zulip Server

PT-2025-13805 · Unknown · Zulip Server

CVE-2025-30368

Weakness Enumeration

Related Identifiers

Affected Products

References · 10