CVE-2025-31478 Overview
CVE-2025-31478 is an authentication bypass vulnerability in Zulip, an open-source team collaboration platform. The flaw allows attackers to create accounts in Zulip organizations that rely exclusively on a single sign-on (SSO) authentication backend, without ever authenticating against that backend. The issue affects deployments where the EmailAuthBackend is disabled and access is gated solely by SSO, with no invitation requirement or email domain restrictions. The vulnerability is tracked under [CWE-287: Improper Authentication]. Zulip resolved the issue in version 10.2.
Critical Impact
Remote unauthenticated attackers can register accounts in SSO-restricted Zulip organizations, bypassing the configured authentication backend and gaining access to internal team communications.
Affected Products
- Zulip Server versions prior to 10.2
- Deployments using SSO authentication backends with EmailAuthBackend disabled
- Organizations without invitation requirements or email domain restrictions
Discovery Timeline
- 2025-04-16 - CVE-2025-31478 published to NVD
- 2026-01-23 - Last updated in NVD database
Technical Details for CVE-2025-31478
Vulnerability Analysis
The vulnerability resides in Zulip's account creation logic. Zulip supports configurations where organizations restrict access through a single SSO backend, disabling the standard email/password EmailAuthBackend. Administrators rely on this configuration to ensure that only users authenticated through the corporate identity provider can register.
A logic flaw in the server's signup flow permits account creation to proceed even when the user has not authenticated against the configured SSO backend. The server fails to enforce that the registering user holds a valid identity from the only enabled authentication method. As a result, attackers reach the account creation endpoint and complete registration without satisfying the SSO requirement.
The impact is scoped to confidentiality and integrity within the affected organization. An attacker who creates an unauthorized account gains the same baseline access as any legitimate member, including the ability to view channels, read messages, and post content.
Root Cause
The root cause is improper authentication enforcement during the signup pathway. The server checks whether account creation is permitted based on organization settings such as invitation requirements and email domain restrictions, but does not verify that the prospective user authenticated through the active SSO backend. When both invitation requirements and domain restrictions are absent, the missing SSO verification leaves the registration endpoint open.
Attack Vector
The attack is exploitable remotely over the network with no privileges and no user interaction. An attacker identifies a Zulip organization configured with SSO-only authentication, no required invitations, and no domain restrictions. The attacker then submits a registration request directly to the account creation endpoint, bypassing the SSO challenge entirely. Technical details are documented in the Zulip GitHub Security Advisory GHSA-qxfv-j6vg-5rqc and the fix commit b5ab90a.
Detection Methods for CVE-2025-31478
Indicators of Compromise
- New user accounts in Zulip organizations that do not correspond to identities in the configured SSO provider
- Account creation events lacking a corresponding SSO authentication log entry
- Registrations originating from IP ranges or geographies inconsistent with the workforce
Detection Strategies
- Reconcile the Zulip user roster against the SSO identity provider's user directory on a recurring basis
- Audit Zulip server logs for register and accounts/register endpoint activity that does not include a preceding successful SSO assertion
- Alert on account creation events where the authentication method recorded does not match the organization's configured SSO backend
Monitoring Recommendations
- Forward Zulip application and authentication logs to a centralized SIEM for correlation with identity provider events
- Track signup volume and rate of new accounts; investigate sudden spikes in SSO-restricted organizations
- Monitor for direct HTTP POST requests to registration endpoints that bypass typical SSO redirect flows
How to Mitigate CVE-2025-31478
Immediate Actions Required
- Upgrade Zulip Server to version 10.2 or later, which contains the official fix
- Audit existing user accounts in all SSO-only organizations and disable any accounts that cannot be matched to the SSO provider
- Review organization-level settings for invitation requirements and email domain restrictions
Patch Information
Zulip released the fix in version 10.2. The patch is implemented in commit b5ab90a and detailed in the Zulip Security Advisory GHSA-qxfv-j6vg-5rqc. Administrators should apply the upgrade promptly, particularly for internet-facing deployments.
Workarounds
- Require invitations to join the organization, which blocks the vulnerable registration path entirely
- Enable email domain restrictions to limit which addresses can register, reducing exposure until patching is complete
- Temporarily re-enable an additional authentication backend only if it can be paired with strict access controls
# Verify Zulip server version and upgrade
/home/zulip/deployments/current/manage.py version
su zulip -c '/home/zulip/deployments/current/scripts/upgrade-zulip-from-git 10.2'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
