CVE-2025-31478

EPSS 0.05%
Veröffentlicht 16.04.2025 21:28:23
Zuletzt bearbeitet 27.09.2025 00:10:58
Quelle security-advisories@github.com
Teams Watchlist Login
Unerledigt Login

Zulip is an open-source team collaboration tool. Zulip supports a configuration where account creation is limited solely by being able to authenticate with a single-sign on authentication backend, meaning the organization places no restrictions on email address domains or invitations being required to join, but has disabled the EmailAuthBackend that is used for email/password authentication. A bug in the Zulip server means that it is possible to create an account in such organizations, without having an account with the configured SSO authentication backend. This issue is patched in version 10.2. A workaround includes requiring invitations to join the organization prevents the vulnerability from being accessed.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Zulip ≫ Zulip Server Version < 10.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.05%	0.168

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://github.com/zulip/zulip/security/advisories/GHSA-qxfv-j6vg-5rqc

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-31478

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-31478

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-31478

EUVD