An unauthenticated remote code execution vulnerability in Rocket.Chat allows attackers to hijack arbitrary user sessions, including those with administrative privileges, via malicious OAuth requests.

This is an improper input validation vulnerability where the OAuth2 server fails to sanitize grant parameters before processing them in a MongoDB query. An unauthenticated attacker can supply NoSQL injection payloads to retrieve and iterate through valid bearer tokens.

The ability to hijack administrative sessions provides full control over the communication platform, leading to potential data exfiltration, unauthorized communication, and server-side code execution via the Apps-Engine. Given the CVSS score of 9.1, this vulnerability poses an extreme risk to organizational confidentiality and integrity.

Immediate Action: Upgrade to the latest patched version (8.5.0, 8.4.1, 8.3.3, 8.2.3, 8.1.4, 8.0.5, 7.13.7, or 7.10.11) immediately to resolve the injection flaw.

Proactive Monitoring: Audit access logs for anomalous HTTP POST requests to the /oauth/token endpoint, particularly those containing MongoDB query syntax.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to block requests containing common NoSQL injection patterns.

Public Exploit Available: No

This vulnerability represents a critical security failure in the authentication layer of Rocket.Chat. Administrators must prioritize patching these instances immediately to prevent full administrative takeover. Delaying updates leaves the platform exposed to complete compromise and unauthorized access to sensitive internal communications.