CVE-2022-32219: Information Disclosure (CWE-200) in Rocket.Chat
An information disclosure vulnerability exists in Rocket.Chat <v4.7.5 which allowed the "users.list" REST endpoint gets a query parameter from JSON and runs Users.find(queryFromClientSide). This means virtually any authenticated user can access any data (except password hashes) of any user authenticated.
AI Analysis
Technical Summary
CVE-2022-32219 is an information disclosure vulnerability identified in Rocket.Chat versions prior to 4.7.5. Rocket.Chat is an open-source team communication platform widely used for messaging and collaboration. The vulnerability arises from the "users.list" REST API endpoint, which accepts a query parameter in JSON format and executes a database query using Users.find(queryFromClientSide). This implementation flaw allows any authenticated user to craft arbitrary queries that can retrieve information about any other user in the system, excluding password hashes. The root cause is insufficient access control and improper sanitization of client-supplied query parameters, leading to unauthorized data exposure. Since the vulnerability requires authentication but no additional privileges or user interaction, it can be exploited by any legitimate user of the platform to access sensitive user data such as email addresses, profile details, or other personal information stored in Rocket.Chat. The vulnerability has a CVSS 3.1 base score of 4.3 (medium severity), reflecting its limited impact on confidentiality and no impact on integrity or availability. No known exploits have been reported in the wild, and the issue was fixed in Rocket.Chat version 4.7.5 and later.
Potential Impact
For European organizations using Rocket.Chat, this vulnerability poses a risk of unauthorized disclosure of user information within their communication environment. Exposure of personal data could lead to privacy violations under the EU's GDPR regulations, potentially resulting in regulatory fines and reputational damage. Internal user data leakage might facilitate targeted phishing or social engineering attacks by malicious insiders or compromised accounts. Although the vulnerability does not allow password or credential theft, the exposure of user metadata can aid attackers in lateral movement or reconnaissance within the organization. The impact is more pronounced in sectors with strict data protection requirements such as finance, healthcare, and government institutions. Since Rocket.Chat is often deployed in private cloud or on-premises environments, organizations with less frequent patch management cycles are at higher risk. The absence of known active exploitation reduces immediate threat but does not eliminate the risk of future attacks leveraging this vulnerability.
Mitigation Recommendations
Organizations should promptly upgrade Rocket.Chat installations to version 4.7.5 or later, where this vulnerability is patched. Until upgrades can be applied, administrators should restrict access to the "users.list" endpoint by implementing additional access controls or API gateway filtering to limit query parameters or user roles that can invoke this endpoint. Monitoring and logging of API calls to detect unusual query patterns or excessive user data requests can help identify exploitation attempts. Employing network segmentation and strict authentication policies reduces the risk of compromised accounts being used to exploit this flaw. Regular security audits of Rocket.Chat configurations and user permissions are recommended to ensure least privilege principles are enforced. Additionally, organizations should review and update their incident response plans to address potential data disclosure incidents involving internal communication platforms.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain
CVE-2022-32219: Information Disclosure (CWE-200) in Rocket.Chat
Description
An information disclosure vulnerability exists in Rocket.Chat <v4.7.5 which allowed the "users.list" REST endpoint gets a query parameter from JSON and runs Users.find(queryFromClientSide). This means virtually any authenticated user can access any data (except password hashes) of any user authenticated.
AI-Powered Analysis
Technical Analysis
CVE-2022-32219 is an information disclosure vulnerability identified in Rocket.Chat versions prior to 4.7.5. Rocket.Chat is an open-source team communication platform widely used for messaging and collaboration. The vulnerability arises from the "users.list" REST API endpoint, which accepts a query parameter in JSON format and executes a database query using Users.find(queryFromClientSide). This implementation flaw allows any authenticated user to craft arbitrary queries that can retrieve information about any other user in the system, excluding password hashes. The root cause is insufficient access control and improper sanitization of client-supplied query parameters, leading to unauthorized data exposure. Since the vulnerability requires authentication but no additional privileges or user interaction, it can be exploited by any legitimate user of the platform to access sensitive user data such as email addresses, profile details, or other personal information stored in Rocket.Chat. The vulnerability has a CVSS 3.1 base score of 4.3 (medium severity), reflecting its limited impact on confidentiality and no impact on integrity or availability. No known exploits have been reported in the wild, and the issue was fixed in Rocket.Chat version 4.7.5 and later.
Potential Impact
For European organizations using Rocket.Chat, this vulnerability poses a risk of unauthorized disclosure of user information within their communication environment. Exposure of personal data could lead to privacy violations under the EU's GDPR regulations, potentially resulting in regulatory fines and reputational damage. Internal user data leakage might facilitate targeted phishing or social engineering attacks by malicious insiders or compromised accounts. Although the vulnerability does not allow password or credential theft, the exposure of user metadata can aid attackers in lateral movement or reconnaissance within the organization. The impact is more pronounced in sectors with strict data protection requirements such as finance, healthcare, and government institutions. Since Rocket.Chat is often deployed in private cloud or on-premises environments, organizations with less frequent patch management cycles are at higher risk. The absence of known active exploitation reduces immediate threat but does not eliminate the risk of future attacks leveraging this vulnerability.
Mitigation Recommendations
Organizations should promptly upgrade Rocket.Chat installations to version 4.7.5 or later, where this vulnerability is patched. Until upgrades can be applied, administrators should restrict access to the "users.list" endpoint by implementing additional access controls or API gateway filtering to limit query parameters or user roles that can invoke this endpoint. Monitoring and logging of API calls to detect unusual query patterns or excessive user data requests can help identify exploitation attempts. Employing network segmentation and strict authentication policies reduces the risk of compromised accounts being used to exploit this flaw. Regular security audits of Rocket.Chat configurations and user permissions are recommended to ensure least privilege principles are enforced. Additionally, organizations should review and update their incident response plans to address potential data disclosure incidents involving internal communication platforms.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- hackerone
- Date Reserved
- 2022-06-01T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682f41160acd01a249262000
Added to database: 5/22/2025, 3:21:58 PM
Last enriched: 7/8/2025, 9:42:37 AM
Last updated: 8/8/2025, 12:29:15 PM
Views: 9
Related Threats
CVE-2025-8975: Cross Site Scripting in givanz Vvveb
MediumCVE-2025-55716: CWE-862 Missing Authorization in VeronaLabs WP Statistics
MediumCVE-2025-55714: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in Crocoblock JetElements For Elementor
MediumCVE-2025-55713: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in CreativeThemes Blocksy
MediumCVE-2025-55712: CWE-862 Missing Authorization in POSIMYTH The Plus Addons for Elementor Page Builder Lite
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.