{"id":"CVE-2022-24751","summary":"Race condition in Zulip","details":"Zulip is an open source group chat application. Starting with version 4.0 and prior to version 4.11, Zulip is vulnerable to a race condition during account deactivation, where a simultaneous access by the user being deactivated may, in rare cases, allow continued access by the deactivated user. A patch is available in version 4.11 on the 4.x branch and version 5.0-rc1 on the 5.x branch. Upgrading to a fixed version will, as a side effect, deactivate any cached sessions that may have been leaked through this bug. There are currently no known workarounds.","aliases":["GHSA-6v98-m5x5-phqj"],"modified":"2026-04-10T04:45:31.972969Z","published":"2022-03-16T13:30:15Z","database_specific":{"cwe_ids":["CWE-362"],"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24751.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2022/24xxx/CVE-2022-24751.json"},{"type":"ADVISORY","url":"https://github.com/zulip/zulip/security/advisories/GHSA-6v98-m5x5-phqj"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24751"},{"type":"FIX","url":"https://github.com/zulip/zulip/commit/62ba8e455d8f460001d9fb486a6dabfd1ed67717"},{"type":"FIX","url":"https://github.com/zulip/zulip/commit/e6eace307ef435eec3395c99247155efed9219e4"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/zulip/zulip","events":[{"introduced":"23e0ea5e327ae88b58c14e34e75fab44ed63a36e"},{"fixed":"8c31437dd1ef9ce8ba92c123c8b04751ea89bac6"}]}],"versions":["4.0","4.0-dev","4.1","4.10","4.2","4.3","4.4","4.5","4.6","4.7","4.8","4.9","shared-0.0.3","shared-0.0.4","shared-0.0.5"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-24751.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"}]}