Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-31478

CVE-2025-31478: Zulip Server Auth Bypass Vulnerability

CVE-2025-31478 is an authentication bypass flaw in Zulip Server that allows attackers to create accounts without SSO authentication. This article covers technical details, affected versions, impact, and mitigation steps.

Updated:

CVE-2025-31478 Overview

CVE-2025-31478 is an authentication bypass vulnerability [CWE-287] in the Zulip open-source team collaboration server. The flaw allows unauthorized account creation in Zulip organizations (realms) that rely exclusively on a single sign-on (SSO) authentication backend without requiring invitations or email domain restrictions. When administrators disable the EmailAuthBackend and depend solely on SSO for identity verification, the server fails to enforce that requirement during signup. Attackers can create accounts without authenticating against the configured SSO backend, gaining access to organization content and channels.

Critical Impact

Remote unauthenticated attackers can bypass SSO requirements and create accounts in Zulip organizations that disabled email/password authentication, exposing internal communications and team data.

Affected Products

  • Zulip Server versions prior to 10.2
  • Zulip self-hosted deployments configured with SSO-only authentication
  • Zulip organizations without invitation requirements or email domain restrictions

Discovery Timeline

  • 2025-04-16 - CVE-2025-31478 published to NVD
  • 2026-01-23 - Last updated in NVD database

Technical Details for CVE-2025-31478

Vulnerability Analysis

The vulnerability resides in the Zulip signup workflow, specifically in zerver/forms.py and zerver/views/registration.py. Zulip supports a configuration where account creation is gated only by successful authentication against an SSO backend such as SAML, LDAP, or OAuth providers. Administrators implement this by disabling EmailAuthBackend while leaving open enrollment enabled (no invitations required, no email domain allowlist).

The HomepageForm signup handler did not verify that a password-based authentication backend was enabled before allowing direct registration. As a result, the signup path bypassed the intended SSO requirement entirely. An unauthenticated network attacker can submit a registration request and create a fully functional account in the target realm without ever interacting with the configured SSO provider.

Root Cause

The root cause is missing authentication backend enforcement during the signup flow. The form did not import or check password_auth_enabled, so it accepted registrations even when no email/password backend was configured. This represents a logic flaw where the security model assumed SSO would be reached, but no code path enforced it.

Attack Vector

Exploitation requires network access to the Zulip web interface and a target realm configured with SSO-only authentication, open enrollment, and no invitation requirement. The attacker submits a standard registration request to the signup endpoint. The server processes the registration without redirecting to or validating the SSO backend, creating an account directly.

python
# Patch in zerver/forms.py - adds password_auth_enabled import
     get_realm,
 )
 from zerver.models.users import get_user_by_delivery_email, is_cross_realm_bot_email
-from zproject.backends import check_password_strength, email_auth_enabled, email_belongs_to_ldap
+from zproject.backends import (
+    check_password_strength,
+    email_auth_enabled,
+    email_belongs_to_ldap,
+    password_auth_enabled,
+)
python
# Patch in zerver/views/registration.py - enforces password backend check
         form = HomepageForm(
             request.POST,
             realm=realm,
+            require_password_backend=True,
             from_multiuse_invite=from_multiuse_invite,
             invited_as=invited_as,
         )

Source: Zulip Security Patch Commit b5ab90a

Detection Methods for CVE-2025-31478

Indicators of Compromise

  • New user accounts created in SSO-only realms without corresponding SSO provider authentication logs
  • Account registrations originating from IP addresses that have no matching session at the configured identity provider
  • Unexpected UserProfile entries in the Zulip database for realms configured with AUTHENTICATION_BACKENDS excluding EmailAuthBackend

Detection Strategies

  • Cross-reference Zulip signup events with SSO provider authentication logs to identify accounts created without a matching SSO session
  • Audit the zerver_userprofile table for accounts created prior to upgrade in realms where EmailAuthBackend is disabled
  • Monitor Zulip server access logs for POST requests to /accounts/register/ and /accounts/home/ in SSO-only deployments

Monitoring Recommendations

  • Enable detailed audit logging for account creation events and forward them to a centralized log platform
  • Alert on registration completions in realms configured with invite_required=False and SSO-only backends
  • Periodically review the realm RealmAuditLog for RealmAuditLog.USER_CREATED events with unusual provenance

How to Mitigate CVE-2025-31478

Immediate Actions Required

  • Upgrade Zulip Server to version 10.2 or later, which contains the require_password_backend=True enforcement
  • Audit existing accounts in affected realms and disable any that cannot be tied to a legitimate SSO authentication event
  • Review realm configuration to confirm authentication backend settings match organizational intent

Patch Information

The issue is fixed in Zulip Server 10.2. The patch adds the password_auth_enabled import and passes require_password_backend=True to HomepageForm, which blocks signup attempts when no password backend is enabled. Details are available in the Zulip GitHub Security Advisory GHSA-qxfv-j6vg-5rqc.

Workarounds

  • Require invitations to join the organization by setting invite_required=True, which prevents the vulnerable signup path from being reached
  • Restrict account creation to specific email domains using realm allowlists until the upgrade is applied
  • Temporarily re-enable EmailAuthBackend with strong password policies if invitation enforcement is not feasible
bash
# Enforce invitation-only signup as a workaround (Zulip management shell)
/home/zulip/deployments/current/manage.py shell
>>> from zerver.models import Realm
>>> realm = Realm.objects.get(string_id="your-realm")
>>> realm.invite_required = True
>>> realm.save(update_fields=["invite_required"])

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.