The critical vulnerabilities in Rocket.Chat's source code can be exploited by attackers to gain complete control over a server, starting with as little as any user's email address. The first vulnerability is a Blind NoSQL Injection that allows leaking a user's password reset token, while the second vulnerability is a NoSQL Injection that can elevate privileges and leak sensitive data. To prevent such vulnerabilities, it is essential to validate all user inputs strictly, restrict the usage of operators in queries, prefer allowlists over blocklists, and keep in mind that simply restricting projection may not be enough to prevent blind or error-based NoSQL Injections. Rocket.Chat has released new versions (3.13.2, 3.12.4, 3.11.4) that fix the vulnerabilities, and users are highly recommended to update to the latest version.