CVE-2025-30369
Last modified
CVE-2025-30369 is a low-severity vulnerability rated 2.7/10 on the CVSS scale. Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. EPSS estimates a 0.24% chance of exploitation in the next 30 days.
Description
Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of any organization was incorrectly allowed to delete custom profile fields belonging to a different organization. This is fixed in Zulip Server 10.1.
Metrics
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Zulip | Zulip Server | >= 1.6.0, < 10.1 |
References
- https://github.com/zulip/zulip/security/advisories/GHSA-fcgx-q63f-7gw4Patch, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2025-30369?
How severe is CVE-2025-30369?
How do I fix CVE-2025-30369?
Are you affected by CVE-2025-30369?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST