Release announcements, Security

Zulip Server 10.2 security release

Tim Abbott 3 min read

We released Zulip Server 10.2 today! This is a security release, fixing a critical security issue (CVE-2025-31478), as well as several bugs, most importantly a collection of issues that prevented servers using some S3-compatible block storage services from successfully uploading files on Zulip Server 10.x.

Upgrading

We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation.

Commercial support for server upgrades is available for installations that purchase a Business or Enterprise plan. For community support, everyone is welcome to drop by the Zulip development community.

CVE-2025-31478: Authentication backend configuration bypass in Zulip Server.

Account creation in Zulip organizations can be restricted simply by requiring successful authentication with a configured single-sign-on authentication method, such as Google Authentication, SAML, or OpenID Connect.

A bug in the Zulip server meant that it was possible to create a new account in organization with such a configuration without using the configured authentication method.

This bug affects all versions of the Zulip Server prior to 10.2. Organizations that use LDAP for authentication or require an invitation to join are not impacted by this vulnerability. Limiting accounts to email addresses in specific email domains can also prevent the vulnerability from being exploited.

Thanks to Dmitry Zhirov for reporting this issue. An analysis of Zulip Cloud data did not find any evidence that this vulnerability was exploited against Zulip Cloud customers.

Notable changes

  • CVE-2025-31478: Authentication backend configuration bypass in Zulip Server.
  • Fixed several compatibility issues between the new tusd-based file upload support and some S3-compatible storage services. In particular:
    • The new S3_SKIP_CHECKSUM setting is required to prevent AWS’s S3 client libraries from refusing to make requests to some third-party S3 implementations — specifically, those that don’t yet support AWS’s new checksum algorithm. (Zulip 9.x used older versions of these libraries that did not attempt to enforce AWS’s new checksum algorithm).
    • Google Cloud Storage requires some additional configuration; see the documentation.
    • Fixed support for automatically accessing S3 secrets from EC2 instance profiles.
  • Fixed compatibility issues between the new tusd -based file upload backend and using a non-default port for the Zulip server.
  • Added support for PostgreSQL 17.
  • Direct message conversations are now allowed to wrap to two lines in the left sidebar using a 2-line format, just like topics.
  • Fixed an important server availability bug involving thumbnails for large video files.
  • Fixed several web application bugs involving displaying group-based permissions.
  • Fixed several visual glitches.
  • Fixed a few bugs in the move conversation modal.
  • Fixed a bug that prevented new hardening of content access from being enforced.
  • Fixed a bug preventing showing archived channels that remain marked as web-public channels in the public access option. (Prior to Zulip 10.0, archiving a channel irreversibly made it private, so this bug only impacted channels archived after the upgrade to Zulip 10.0).
  • Fixed a subtle issue involving file upload error handling with tusd.
  • Moved the Prometheus metrics port for Smokescreen to 4760, to not conflict with the ports Zulip uses with more than 10 Tornado processes.
  • Improved scroll position when selecting a very tall message using the Up keyboard shortcut.
  • Improved integration URL construction interface for Git integrations.
  • Improved behavior when viewing a channel feed in channels containing very old unread messages.
  • Documented the new LaTeX copy/paste functionality.
  • Upgraded Python dependencies.
  • Updated translations.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect: