Zulip 1.7.2 security release

Today we’re releasing Zulip Server 1.7.2. This is a security release, containing just a handful of cherry-picked changes since 1.7.1.

What’s new

This release fixes several security issues:

  • CVE-2018-9986: Fix XSS issues with frontend markdown processor.
  • CVE-2018-9987: Fix XSS issue with muting notifications.
  • CVE-2018-9990: Fix XSS issue with stream names in topic typeahead.
  • CVE-2018-9999: Fix XSS issue with user uploads and the (default) LOCAL_UPLOADS_DIR storage backend.

CVE-2018-9987 was introduced in Zulip 1.5.0; the other three issues were present in the first public release of Zulip. None of these issues were publicly known before today.

Thanks to Suhas Sunil Gaikwad for reporting CVE-2018-9987 and w9w for reporting CVE-2018-9986 and CVE-2018-9990.


All users should upgrade promptly to secure their systems. See the upgrade instructions in the Zulip documentation.

If you’re upgrading from 1.7.1, then the code changes are small and there are no migrations or dependency changes, so the risk of unexpected disruption is low.

If you need help, best-effort support is available on chat.zulip.org, the Zulip community chat server.


We love feedback from the Zulip user community. Here are a few ways you can connect:

Thanks to Rohitt Vashishtha for help in preparing this release.

-Tim Abbott

Tim Abbott

Tim Abbott is the lead developer of the Zulip open source project and CEO of Kandra Labs, the company providing Zulip hosting and commercial support. Previously, he was founder and CTO of Ksplice.

San Francisco https://zulip.org

Subscribe to The Zulip Blog

Get the latest posts delivered right to your inbox.

or subscribe via RSS with Feedly!