Release announcements, Security

Zulip Server 10.4 security release

Tim Abbott 2 min read

We released Zulip Server 10.4 today! This is a security release, fixing an important security issue (CVE-2025-52559), as well as several bugs.

Upgrading

We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. Zulip Cloud has already been upgraded with the improvements in this release.

Commercial support for server upgrades is available for installations that purchase a Business or Enterprise plan. For community support, everyone is welcome to drop by the Zulip development community.

Notable changes

  • CVE-2025-52559: Cross-site scripting vulnerability in digest email preview page. This vulnerability can be mitigated without risk by blocking access to the /digest URL, since the vulnerable page is a developer tool for a rarely-used beta feature.
  • Added backported libheif packages, required to thumbnail images taken on iOS 18.
  • Added an OpenSearch integration.
  • Improved email mirror filtering of prefixes in email subject lines.
  • Improved html2text exception handling in the Mattermost data import tool.
  • Fixed a bug preventing uploading the same file twice within a browser session.
  • Fixed several minor issues with the PostgreSQL upgrade tool.
  • Fixed documentation referring to the previous name for reset_authentication_attempt_count management command.
  • Fixed lag in the mention typeahead in organizations with several thousand users.
  • Fixed an exception in the password reset flow for systems hosted in AWS that do not have AWS credentials configured.
  • Updated dependencies.

Thanks to Vyacheslav Bugaev for discovering and responsibly reporting CVE-2025-52559.

Community

We love feedback from the Zulip user community. Here are a few ways you can connect: