Home / Companies / Sonar / Blog / Post Details
Content Deep Dive

NoSQL Injections in Rocket.Chat 3.12.1: How A Small Leak Grounds A Rocket

Blog post from Sonar

Post Details
Company
Date Published
Author
Paul Gerste
Word Count
2,260
Company Posts That Month
3
Language
English
Hacker News Points
-
Post removed?
No
Summary

The critical vulnerabilities in Rocket.Chat's source code can be exploited by attackers to gain complete control over a server, starting with as little as any user's email address. The first vulnerability is a Blind NoSQL Injection that allows leaking a user's password reset token, while the second vulnerability is a NoSQL Injection that can elevate privileges and leak sensitive data. To prevent such vulnerabilities, it is essential to validate all user inputs strictly, restrict the usage of operators in queries, prefer allowlists over blocklists, and keep in mind that simply restricting projection may not be enough to prevent blind or error-based NoSQL Injections. Rocket.Chat has released new versions (3.13.2, 3.12.4, 3.11.4) that fix the vulnerabilities, and users are highly recommended to update to the latest version.

Trends Found in this Post
Trend Post Mentions Total Month Mentions Posts Companies MoM
Secrets Management 1 449 53 30 -56%
Use This Data

Use this post, company, and trend context to find content marketing opportunities, perform competitive analysis, or address product feature gaps via the Plushcap MCP server or the Plushcap API.