Skip to main content

Zulip CVE-2021-41115

MEDIUM
Uncontrolled Resource Consumption (CWE-400)
2021-10-07 security-advisories@github.com
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
CVE Published
Oct 07, 2021 - 23:15 nvd
MEDIUM 6.5

DescriptionNVD

Zulip is an open source team chat server. In affected versions Zulip allows organization administrators on a server to configure "linkifiers" that automatically create links from messages that users send, detected via arbitrary regular expressions. Malicious organization administrators could subject the server to a denial-of-service via regular expression complexity attacks; most simply, by configuring a quadratic-time regular expression in a linkifier, and sending messages that exploited it. A regular expression attempted to parse the user-provided regexes to verify that they were safe from ReDoS -- this was both insufficient, as well as _itself_ subject to ReDoS if the organization administrator entered a sufficiently complex invalid regex. Affected users should upgrade to the just-released Zulip 4.7, or main.

AnalysisAI

Zulip is an open source team chat server. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Technical ContextAI

This vulnerability is classified as Uncontrolled Resource Consumption (CWE-400), which allows attackers to cause denial of service by exhausting system resources. Zulip is an open source team chat server. In affected versions Zulip allows organization administrators on a server to configure "linkifiers" that automatically create links from messages that users send, detected via arbitrary regular expressions. Malicious organization administrators could subject the server to a denial-of-service via regular expression complexity attacks; most simply, by configuring a quadratic-time regular expression in a linkifier, and sending messages that exploited it. A regular expression attempted to parse the user-provided regexes to verify that they were safe from ReDoS -- this was both insufficient, as well as _itself_ subject to ReDoS if the organization administrator entered a sufficiently complex invalid regex. Affected users should upgrade to the just-released Zulip 4.7, or main. Affected products include: Zulip.

RemediationAI

A vendor patch is available. Apply the latest security update as soon as possible. Implement rate limiting, set resource quotas, validate input sizes, use timeouts.

More in Zulip

View all
CVE-2022-31168 HIGH
8.8 Jul 22

Zulip is an open source team chat tool. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low

CVE-2019-10476 HIGH
7.8 Oct 23

Jenkins Zulip Plugin 1.1.0 and earlier stored credentials unencrypted in its global configuration file on the Jenkins ma

CVE-2022-24751 HIGH
7.4 Mar 16

Zulip is an open source group chat application. Rated high severity (CVSS 7.4), this vulnerability is remotely exploitab

CVE-2026-26058 MEDIUM
6.1 Apr 03

Path traversal in Zulip's ./manage.py import function allows local attackers to read arbitrary files from the server fil

CVE-2026-40300 MEDIUM
6.0 May 12

Zulip is an open-source team collaboration tool. Prior to 12.0, With message_edit_history_visibility_policy set to "move

CVE-2022-35962 MEDIUM
5.7 Aug 29

Zulip is an open source team chat and Zulip Mobile is an app for iOS and Andriod users. Rated medium severity (CVSS 5.7)

CVE-2024-36624 MEDIUM
5.4 Nov 29

Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the construct_copy_div function in copy_and_paste.js. Rated me

CVE-2024-36625 MEDIUM
5.4 Nov 29

Zulip 8.3 is vulnerable to Cross Site Scripting (XSS) via the replace_emoji_with_text function in ui_util.ts. Rated medi

CVE-2026-25742 MEDIUM
5.3 Apr 03

Zulip versions 1.4.0 through 11.5 allow unauthenticated retrieval of attachments and topic history from web-public strea

CVE-2021-43791 MEDIUM
5.3 Dec 02

Zulip is an open source group chat application that combines real-time chat with threaded conversations. Rated medium se

CVE-2022-36048 MEDIUM
4.3 Aug 31

Zulip is an open-source team collaboration tool with topic-based threading that combines email and chat. Rated medium se

CVE-2023-28623 LOW
3.7 May 19

Zulip is an open-source team collaboration tool with unique topic-based threading. Rated low severity (CVSS 3.7), this v

Share

CVE-2021-41115 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy