PT-2025-13806 · Unknown · Zulip Server

Bechar Thakor

Published

2025-03-31

Updated

2025-08-27

CVE-2025-30369

CVSS v3.1

2.7

Low

Vector

AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N

Name of the Vulnerable Software and Affected Versions Zulip Server versions prior to 10.1

Description The issue concerns the API for deleting an organization custom profile field in Zulip, an open-source team collaboration tool. The API handler failed to check if the field belongs to the same organization as the user, allowing an administrator of any organization to delete custom profile fields belonging to a different organization.

Recommendations For versions prior to 10.1, update to Zulip Server 10.1 to resolve the issue. As a temporary workaround, consider restricting access to the API endpoint for deleting organization custom profile fields to prevent unauthorized deletion.

Exploit

Fix

LPE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-566

Related Identifiers

CVE-2025-30369

GHSA-FCGX-Q63F-7GW4

Affected Products

Zulip Server

PT-2025-13806 · Unknown · Zulip Server

CVE-2025-30369

Weakness Enumeration

Related Identifiers

Affected Products

References · 8