CVE-2025-27149
Published: 31 March 2025
Summary
CVE-2025-27149 is a medium-severity Exposure of Sensitive System Information to an Unauthorized Control Sphere (CWE-497) vulnerability in Zulip Zulip Server. Its CVSS base score is 4.6 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Messaging Applications (T1213.005); ranked at the 47.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8854
Vulnerability details
Zulip server provides an open-source team chat that helps teams stay productive and focused. Prior to 10.0, the data export to organization administrators feature in Zulip leaks private data. The collection of user-agent types identifying specific integrations or HTTP libraries…
more
(E.g., ZulipGitlabWebhook, okhttp, or PycURL) that have been used to access any organization on the server was incorrectly included in all three export types, regardless of if they were used to access the exported organization or not. The "public data" and "with consent" exports metadata including the titles of some topics in private channels which the administrator otherwise did not have access to, and none of the users consented to exporting and metadata for which users were in a group DM together. This vulnerability is fixed in 10.0.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability leaks metadata from private channels/topics, group DMs, and user-agent strings identifying integrations/software (e.g., ZulipGitlabWebhook) via administrative data exports, enabling collection from messaging applications and software discovery.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Ongoing reviews detect and remove sensitive system information before it reaches publicly accessible systems.
Employs detection to prevent unauthorized mining of sensitive system information from being exfiltrated to external control spheres.
Documenting where system information is processed and stored prevents exposure to unauthorized control spheres.
The control stops sensitive system information from crossing into unauthorized control spheres through EM emanations.
Authorization and minimization requirements keep PII out of test/research control spheres that often lack production-grade protections.
Documented categorization of system information reduces the chance that sensitive internals are left exposed to unauthorized spheres.
System information is concealed or replaced with decoys, reducing leakage to unauthorized observers.
Ensures sensitive system information is not disclosed outside the intended control sphere through error output.