Zulip Server 10.4 security release

We released Zulip Server 10.4 today! This is a security release, fixing an important security issue (CVE-2025-52559), as well as several bugs.
Upgrading
We recommend that all installations upgrade to this new release. See the upgrade instructions in the Zulip documentation. Zulip Cloud has already been upgraded with the improvements in this release.
Commercial support for server upgrades is available for installations that purchase a Business or Enterprise plan. For community support, everyone is welcome to drop by the Zulip development community.
Notable changes
- CVE-2025-52559: Cross-site scripting vulnerability in
digest email preview page. This
vulnerability can be mitigated without risk by blocking access to the
/digest
URL, since the vulnerable page is a developer tool for a rarely-used beta feature. - Added backported
libheif
packages, required to thumbnail images taken on iOS 18. - Added an OpenSearch integration.
- Improved email mirror filtering of prefixes in email subject lines.
- Improved html2text exception handling in the Mattermost data import tool.
- Fixed a bug preventing uploading the same file twice within a browser session.
- Fixed several minor issues with the PostgreSQL upgrade tool.
- Fixed documentation referring to the previous name for
reset_authentication_attempt_count
management command. - Fixed lag in the mention typeahead in organizations with several thousand users.
- Fixed an exception in the password reset flow for systems hosted in AWS that do not have AWS credentials configured.
- Updated dependencies.
Thanks to Vyacheslav Bugaev for discovering and responsibly reporting CVE-2025-52559.
Community
We love feedback from the Zulip user community. Here are a few ways you can connect:
- Join chat.zulip.org and provide feedback directly to the development community!
- Follow us on LinkedIn, Mastodon, Twitter/X, or join our announcement mailing list.