Cyber Resilience

CVE-2025-30369

Low

Published: 31 March 2025

Published
31 March 2025
Modified
27 September 2025
KEV Added
Patch
CVSS Score v3.1 2.7 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N
EPSS Score 0.0020 41.9th percentile
Risk Priority 6 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30369 is a low-severity Authorization Bypass Through User-Controlled SQL Primary Key (CWE-566) vulnerability in Zulip Zulip Server. Its CVSS base score is 2.7 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked at the 41.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the…

more

user. Therefore, an administrator of any organization was incorrectly allowed to delete custom profile fields belonging to a different organization. This is fixed in Zulip Server 10.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1565.001 Stored Data Manipulation Impact
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Why these techniques?

Authorization bypass enables authenticated organization admins to delete (manipulate) stored data (custom profile fields) belonging to other organizations.

Affected Assets

zulip
zulip server
1.6.0 — 10.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References