CVE-2025-30369
Published: 31 March 2025
Summary
CVE-2025-30369 is a low-severity Authorization Bypass Through User-Controlled SQL Primary Key (CWE-566) vulnerability in Zulip Zulip Server. Its CVSS base score is 2.7 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 41.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8865
Vulnerability details
Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the…
more
user. Therefore, an administrator of any organization was incorrectly allowed to delete custom profile fields belonging to a different organization. This is fixed in Zulip Server 10.1.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass enables authenticated organization admins to delete (manipulate) stored data (custom profile fields) belonging to other organizations.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.