CVE-2025-25195
📋 TL;DR
This CVE describes an information disclosure vulnerability in Zulip's development branch where private channel names were leaked to all organization users when channels were marked as inactive or reactivated. The vulnerability only existed in the unreleased 'main' development branch and was never present in any published versions of Zulip.
💻 Affected Systems
- Zulip
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
All users in an organization could learn the names of private channels they weren't members of, potentially revealing sensitive project names, team names, or confidential discussion topics.
Likely Case
Limited information disclosure where users discover the existence of private channels they weren't invited to, potentially causing privacy concerns or organizational friction.
If Mitigated
No impact since the vulnerability was never in production releases and was fixed before any version publication.
🎯 Exploit Status
Exploitation requires being part of the organization and waiting for the weekly cron job or sending a message to an inactive private channel.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Fixed in development branch via commits 75be449d456d29fef27e9d1828bafa30174284b4 and a2a1a7f8d152296c8966f1380872c0ac69e5c87e
Vendor Advisory: https://github.com/zulip/zulip/security/advisories/GHSA-x8cx-3hq5-4wj9
Restart Required: Yes
Instructions:
1. Update to latest Zulip development code
2. Apply commits 75be449d456d29fef27e9d1828bafa30174284b4 and a2a1a7f8d152296c8966f1380872c0ac69e5c87e
3. Restart Zulip services
🔧 Temporary Workarounds
Disable channel inactivity feature
allTemporarily disable the weekly cron job that marks channels as inactive
Comment out or remove the cron job for channel inactivity in Zulip configuration
🧯 If You Can't Patch
- Do not use development branch 'main' in production environments
- Revert to last stable release version of Zulip
🔍 How to Verify
Check if Vulnerable:
Check if running development branch between commits 50256f48314250978f521ef439cafa704e056539 and a2a1a7f8d152296c8966f1380872c0ac69e5c87eCheck Version:
git log --oneline | head -20Verify Fix Applied:
Verify commits 75be449d456d29fef27e9d1828bafa30174284b4 and a2a1a7f8d152296c8966f1380872c0ac69e5c87e are applied📡 Detection & Monitoring
Log Indicators:
- Events sent to all users containing private channel names
- Channel status change events with broad audience
Network Indicators:
- Unusual event broadcasts to entire organization
SIEM Query:
event_type:channel_status_change AND audience:all_organization_users🔗 References
- https://github.com/zulip/zulip/commit/50256f48314250978f521ef439cafa704e056539
- https://github.com/zulip/zulip/commit/75be449d456d29fef27e9d1828bafa30174284b4
- https://github.com/zulip/zulip/commit/a2a1a7f8d152296c8966f1380872c0ac69e5c87e
- https://github.com/zulip/zulip/security/advisories/GHSA-x8cx-3hq5-4wj9
