CVE-2025-52559
BaseFortify
Publication date: 2025-07-02
Last updated on: 2025-10-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| zulip | zulip_server | From 2.0.1 (inc) to 10.4 (exc) |
| zulip | zulip_server | 2.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-52559 is a Cross-Site Scripting (XSS) vulnerability in the Zulip Server's /digest/ preview URL, affecting versions from 2.0.0-rc1 up to before 10.4. This URL shows a preview of the weekly email digest content but is vulnerable because topic names and channel names are not properly escaped, allowing an attacker with low privileges and requiring user interaction to execute malicious scripts remotely via the network. The vulnerability impacts confidentiality but not integrity or availability. It was fixed in version 10.4 by safely generating HTML content using the MarkupSafe library to prevent injection of unsafe HTML or scripts. [1, 2, 3, 4]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute malicious scripts in the context of the Zulip Server's /digest/ preview URL. Because the vulnerability affects confidentiality with a high impact, sensitive information could be exposed to unauthorized parties. However, it does not affect the integrity or availability of the system. An attacker with low privileges and requiring user interaction could exploit this to run scripts that might steal data or perform actions on behalf of the user viewing the digest preview. The risk is mitigated by patching to version 10.4 or denying access to the /digest/ URL. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Zulip Server version is between 2.0.0-rc1 and before 10.4 and if the /digest/ URL is accessible and rendering topic or channel names without proper escaping, which could allow XSS payloads. Since the vulnerability involves cross-site scripting in the /digest/ preview URL, you can attempt to access the /digest/ URL and inspect the HTML content of topic and channel names for unescaped or malicious script tags. There are no specific commands provided in the resources, but a practical approach is to use curl or wget to fetch the /digest/ URL and analyze the response for suspicious script injections. For example, you can run: `curl -i https://your-zulip-server/digest/` and review the output for unsafe HTML content. Additionally, scanning for the Zulip Server version can be done by querying the server or checking installed package versions to confirm if it is vulnerable. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include denying access to the /digest/ URL on your Zulip Server, as this URL is not commonly used in most installations. This can be done by configuring your web server or firewall to block requests to /digest/. Additionally, upgrading your Zulip Server to version 10.4 or later will apply the official patch that fixes the vulnerability by safely generating HTML content using the MarkupSafe library to prevent XSS. Until you can upgrade, blocking or restricting access to /digest/ is the recommended workaround. [1]