An unauthenticated NoSQL injection vulnerability in the Rocket.Chat CAS login handler allows attackers to bypass authentication and gain full unauthorized access to user accounts.

The CAS login handler fails to validate the credentialToken parameter, allowing an unauthenticated attacker to inject NoSQL operators into the MongoDB query. This permits the attacker to match and hijack the authentication tokens of legitimate users currently performing SSO logins.

Successful exploitation results in total account takeover, granting the attacker the same permissions as the victim, including full administrative access to the platform. With a CVSS score of 9.1, this vulnerability represents an existential risk to the platform's security and the privacy of user data.

Immediate Action: Apply the vendor-provided patches (versions 8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11) as the primary mitigation.

Proactive Monitoring: Review application logs for unexpected DDP login activity or login sessions that deviate from standard patterns.

Compensating Controls: Implement strict ingress filtering or WAF rules to sanitize NoSQL query operators from incoming web traffic targeting the login service.

Public Exploit Available: No

The risk of administrative compromise via this authentication bypass is significant. Security teams should treat this as a high-priority incident and ensure all Rocket.Chat instances are updated to the latest version to prevent unauthorized session hijacking.