Vulnerability Description
Zulip server provides an open-source team chat that helps teams stay productive and focused. Prior to 10.0, the data export to organization administrators feature in Zulip leaks private data. The collection of user-agent types identifying specific integrations or HTTP libraries (E.g., ZulipGitlabWebhook, okhttp, or PycURL) that have been used to access any organization on the server was incorrectly included in all three export types, regardless of if they were used to access the exported organization or not. The "public data" and "with consent" exports metadata including the titles of some topics in private channels which the administrator otherwise did not have access to, and none of the users consented to exporting and metadata for which users were in a group DM together. This vulnerability is fixed in 10.0.
CVSS Score
LOW
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Zulip | Zulip Server | >= 2.1.0, < 10.0 |
Related Weaknesses (CWE)
References
- https://github.com/zulip/zulip/security/advisories/GHSA-358p-x39m-99mmThird Party Advisory
FAQ
What is CVE-2025-27149?
CVE-2025-27149 is a vulnerability with a CVSS score of 2.7 (LOW). Zulip server provides an open-source team chat that helps teams stay productive and focused. Prior to 10.0, the data export to organization administrators feature in Zulip leaks private data. The coll...
How severe is CVE-2025-27149?
CVE-2025-27149 has been rated LOW with a CVSS base score of 2.7/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-27149?
Check the references section above for vendor advisories and patch information. Affected products include: Zulip Zulip Server.