CVE-2024-36612 – Zulip versions 8.0 through 8.3 contain a memory... (How to Fix)

Q: What is the severity of CVE-2024-36612?

CVE-2024-36612 has a CVSS score of 7.5 (HIGH). Zulip versions 8.0 through 8.3 contain a memory leak vulnerability in popover handling that allows attackers to gradually exhaust server memory through repeated triggering. This affects all Zulip server deployments running vulnerable versions, potentially leading to denial of service. The vulnerability requires user interaction to trigger but can be exploited by any authenticated user.

📋 TL;DR

Zulip versions 8.0 through 8.3 contain a memory leak vulnerability in popover handling that allows attackers to gradually exhaust server memory through repeated triggering. This affects all Zulip server deployments running vulnerable versions, potentially leading to denial of service. The vulnerability requires user interaction to trigger but can be exploited by any authenticated user.

💻 Affected Systems

Products:

Zulip

Versions: 8.0 to 8.3

Operating Systems: All platforms running Zulip

Default Config Vulnerable: ⚠️ Yes

Notes: All Zulip deployments running affected versions are vulnerable regardless of configuration.

📦 What is this software?

Zulip Server by Zulip

View all CVEs affecting Zulip Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server crash and denial of service due to memory exhaustion, requiring server restart and potentially causing data loss or service disruption.

🟠

Likely Case

Gradual performance degradation leading to increased latency and potential service instability until memory is reclaimed or server is restarted.

🟢

If Mitigated

Minimal impact with proper monitoring and memory limits in place, though some performance degradation may still occur during attack.

🌐 Internet-Facing: MEDIUM - Requires authenticated access but can be exploited remotely through web interface.

🏢 Internal Only: MEDIUM - Same technical risk but limited to internal users; insider threat or compromised accounts could exploit.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is technically simple - repeatedly triggering popovers causes memory accumulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.4 and later

Vendor Advisory: https://github.com/zulip/zulip/commit/0a90a13becbf0338a8fc1ad37946e51c2c25b0a5

Restart Required: Yes

Instructions:

1. Backup your Zulip installation and database. 2. Upgrade to Zulip 8.4 or later using standard upgrade procedures. 3. Restart the Zulip server services. 4. Verify the fix by checking version and monitoring memory usage.

🔧 Temporary Workarounds

Disable popover functionality

all

Temporarily disable popover features to prevent exploitation while planning upgrade.

Modify web/src/click_handlers.js to comment out popover event handlers

Implement memory limits

linux

Configure system memory limits and monitoring to detect and mitigate memory exhaustion.

Set memory limits via systemd or container runtime (e.g., systemctl set-property zulip.service MemoryMax=2G)

🧯 If You Can't Patch

Implement strict memory monitoring and alerting for abnormal memory growth patterns.
Restrict user permissions to minimize potential attackers and implement rate limiting on UI interactions.

🔍 How to Verify

Check if Vulnerable:

Check Zulip version: /home/zulip/deployments/current/version.py or via web interface admin panel.

Check Version:

cat /home/zulip/deployments/current/version.py | grep ZULIP_VERSION

Verify Fix Applied:

Verify version is 8.4+ and monitor memory usage during normal operation for stability.

📡 Detection & Monitoring

Log Indicators:

Rapid memory consumption in system logs
Out of memory errors in Zulip logs
Frequent popover-related JavaScript errors

Network Indicators:

Increased HTTP requests to popover endpoints
Slowing response times from Zulip server

SIEM Query:

source="zulip.log" AND ("memory" OR "out of memory" OR "OOM") OR source="system.log" AND process="zulip" AND ("memory limit" OR "killed")

📊 Metadata

CVE ID: CVE-2024-36612

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-125

Published: November 29, 2024

Last Updated: April 9, 2025

🔗 References

https://gist.github.com/1047524396/f7ff51d24ebbb29e21dfb70a0c97302b Third Party Advisory
https://github.com/zulip/zulip/blob/8.3/web/src/click_handlers.js Product
https://github.com/zulip/zulip/commit/0a90a13becbf0338a8fc1ad37946e51c2c25b0a5 Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-36612, you might also want to check these: