Release announcements, Security

Zulip 1.7.2 security release

Tim Abbott 2 min read

Today we’re releasing Zulip Server 1.7.2. This is a security release, containing just a handful of cherry-picked changes since 1.7.1.

What’s new

This release fixes several security issues:

  • CVE-2018-9986: Fix XSS issues with frontend markdown processor.
  • CVE-2018-9987: Fix XSS issue with muting notifications.
  • CVE-2018-9990: Fix XSS issue with stream names in topic typeahead.
  • CVE-2018-9999: Fix XSS issue with user uploads and the (default) LOCAL_UPLOADS_DIR storage backend.

CVE-2018-9987 was introduced in Zulip 1.5.0; the other three issues were present in the first public release of Zulip. None of these issues were publicly known before today.

Thanks to Suhas Sunil Gaikwad for reporting CVE-2018-9987 and w9w for reporting CVE-2018-9986 and CVE-2018-9990.


All users should upgrade promptly to secure their systems. See the upgrade instructions in the Zulip documentation.

If you’re upgrading from 1.7.1, then the code changes are small and there are no migrations or dependency changes, so the risk of unexpected disruption is low.

If you need help, best-effort support is available on, the Zulip community chat server.


We love feedback from the Zulip user community. Here are a few ways you can connect:

Thanks to Rohitt Vashishtha for help in preparing this release.

—Tim Abbott