CVE-2025-31478

EPSS 0.05%
Published 16.04.2025 21:28:23
Last modified 27.09.2025 00:10:58
Source security-advisories@github.com
Teams watchlist Login
Open Login

Zulip is an open-source team collaboration tool. Zulip supports a configuration where account creation is limited solely by being able to authenticate with a single-sign on authentication backend, meaning the organization places no restrictions on email address domains or invitations being required to join, but has disabled the EmailAuthBackend that is used for email/password authentication. A bug in the Zulip server means that it is possible to create an account in such organizations, without having an account with the configured SSO authentication backend. This issue is patched in version 10.2. A workaround includes requiring invitations to join the organization prevents the vulnerability from being accessed.

Affected products Warnungen 0 Metrics 2 CWE 1 References 4

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

This information is available to logged-in users.

Data is provided by the National Vulnerability Database (NVD)

Zulip ≫ Zulip Server Version < 10.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.05%	0.168

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
security-advisories@github.com	8.2	3.9	4.2	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE-287 Improper Authentication

When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

https://github.com/zulip/zulip/security/advisories/GHSA-qxfv-j6vg-5rqc

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2025-31478

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-31478

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-31478

EUVD