CVE-2025-25195

Vulnerability

Description

CVE-2025-25195 is an information disclosure vulnerability in Zulip's main branch that leaked the names of private channels to all users in an organization. The issue was introduced in commit 50256f48314250978f521ef439cafa704e056539, which added a weekly cron job to mark channels as "inactive" after 180 days of no traffic [1][3][4]. When a private channel became inactive, an event containing the channel's name was broadcast to every user in the organization, not just those subscribed to the channel [4].

Exploitation and

Attack Surface

The leakage occurred in two scenarios: (1) when the cron job demoted a private channel to inactive status, and (2) when the first message was sent to a previously inactive private channel, prompting an event that notified clients the channel was no longer inactive [4]. Both events included the private channel's name and were sent to all organization members, regardless of their subscription status. No authentication bypass or network-level access was required beyond being a normal user of the Zulip organization [2][4].

Impact

An attacker who is a member of the organization could learn the names of private channels, potentially gaining insights into sensitive projects, teams, or discussions. This exposure violates the confidentiality expected by users of private channels. The vulnerability was rated Medium (CVSS 4.3) due to the partial disclosure of potentially sensitive information [CVE header].

Mitigation

The issue was fixed in commits a2a1a7f8d152296c8966f1380872c0ac69e5c87e and 75be449d456d29fef27e9d1828bafa30174284b4, which restrict the "active status change" events to only the subscribers of the affected channel [1][2][4]. Because this vulnerability only existed in Zulip's main branch and was not included in any published releases, most users are not affected unless they were running a development or pre-release version [4].