CVE-2022-32220: Information Disclosure (CWE-200) in Rocket.Chat
An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room.
AI Analysis
Technical Summary
CVE-2022-32220 is an information disclosure vulnerability identified in Rocket.Chat versions prior to 5.0.0. Rocket.Chat is an open-source team communication platform widely used for messaging within organizations. The vulnerability arises from the getUserMentionsByChannel Meteor server method, which improperly discloses messages from private channels and direct messages. Specifically, this method fails to enforce access control checks, allowing users with limited privileges (requiring only low privileges, no user interaction) to retrieve message content from rooms they do not have permission to access. This flaw violates confidentiality principles by exposing sensitive communications to unauthorized users. The vulnerability is rated with a CVSS 3.1 base score of 6.5 (medium severity), reflecting high confidentiality impact but no impact on integrity or availability. The attack vector is network-based with low attack complexity and requires privileges but no user interaction. The scope remains unchanged, meaning the vulnerability affects only the vulnerable component without extending to other components. No known exploits in the wild have been reported as of the publication date. The issue was addressed and fixed in Rocket.Chat version 5.0.0 and later releases.
Potential Impact
For European organizations using Rocket.Chat versions prior to 5.0.0, this vulnerability poses a significant risk to the confidentiality of internal communications. Unauthorized disclosure of private channel messages and direct messages could lead to leakage of sensitive business information, intellectual property, or personal data protected under GDPR. This could result in reputational damage, regulatory penalties, and loss of trust among clients and partners. Since Rocket.Chat is often deployed in sectors requiring secure communications such as finance, healthcare, and government, the impact could be severe if exploited. The vulnerability does not affect message integrity or system availability, but the confidentiality breach alone is critical in environments handling sensitive or regulated data. The lack of known exploits reduces immediate risk, but the ease of exploitation and network accessibility means attackers could leverage this vulnerability if discovered independently.
Mitigation Recommendations
European organizations should immediately verify their Rocket.Chat version and upgrade to version 5.0.0 or later, where this vulnerability is fixed. If upgrading is not immediately feasible, organizations should restrict access to Rocket.Chat servers to trusted networks and users, implement strict network segmentation, and monitor logs for unusual access patterns to private channels. Additionally, applying strict role-based access controls and auditing user permissions can reduce the risk of unauthorized access. Organizations should also consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious API calls related to getUserMentionsByChannel. Regular security assessments and penetration testing focusing on access control enforcement in Rocket.Chat deployments are recommended to identify any residual risks.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain
CVE-2022-32220: Information Disclosure (CWE-200) in Rocket.Chat
Description
An information disclosure vulnerability exists in Rocket.Chat <v5 due to the getUserMentionsByChannel meteor server method discloses messages from private channels and direct messages regardless of the users access permission to the room.
AI-Powered Analysis
Technical Analysis
CVE-2022-32220 is an information disclosure vulnerability identified in Rocket.Chat versions prior to 5.0.0. Rocket.Chat is an open-source team communication platform widely used for messaging within organizations. The vulnerability arises from the getUserMentionsByChannel Meteor server method, which improperly discloses messages from private channels and direct messages. Specifically, this method fails to enforce access control checks, allowing users with limited privileges (requiring only low privileges, no user interaction) to retrieve message content from rooms they do not have permission to access. This flaw violates confidentiality principles by exposing sensitive communications to unauthorized users. The vulnerability is rated with a CVSS 3.1 base score of 6.5 (medium severity), reflecting high confidentiality impact but no impact on integrity or availability. The attack vector is network-based with low attack complexity and requires privileges but no user interaction. The scope remains unchanged, meaning the vulnerability affects only the vulnerable component without extending to other components. No known exploits in the wild have been reported as of the publication date. The issue was addressed and fixed in Rocket.Chat version 5.0.0 and later releases.
Potential Impact
For European organizations using Rocket.Chat versions prior to 5.0.0, this vulnerability poses a significant risk to the confidentiality of internal communications. Unauthorized disclosure of private channel messages and direct messages could lead to leakage of sensitive business information, intellectual property, or personal data protected under GDPR. This could result in reputational damage, regulatory penalties, and loss of trust among clients and partners. Since Rocket.Chat is often deployed in sectors requiring secure communications such as finance, healthcare, and government, the impact could be severe if exploited. The vulnerability does not affect message integrity or system availability, but the confidentiality breach alone is critical in environments handling sensitive or regulated data. The lack of known exploits reduces immediate risk, but the ease of exploitation and network accessibility means attackers could leverage this vulnerability if discovered independently.
Mitigation Recommendations
European organizations should immediately verify their Rocket.Chat version and upgrade to version 5.0.0 or later, where this vulnerability is fixed. If upgrading is not immediately feasible, organizations should restrict access to Rocket.Chat servers to trusted networks and users, implement strict network segmentation, and monitor logs for unusual access patterns to private channels. Additionally, applying strict role-based access controls and auditing user permissions can reduce the risk of unauthorized access. Organizations should also consider deploying Web Application Firewalls (WAFs) with custom rules to detect and block suspicious API calls related to getUserMentionsByChannel. Regular security assessments and penetration testing focusing on access control enforcement in Rocket.Chat deployments are recommended to identify any residual risks.
Affected Countries
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- hackerone
- Date Reserved
- 2022-06-01T00:00:00.000Z
- Cisa Enriched
- true
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 682f41160acd01a249262002
Added to database: 5/22/2025, 3:21:58 PM
Last enriched: 7/8/2025, 9:42:46 AM
Last updated: 8/17/2025, 9:36:29 PM
Views: 17
Related Threats
CVE-2025-3495: CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Delta Electronics COMMGR
CriticalCVE-2025-53948: CWE-415 Double Free in Santesoft Sante PACS Server
HighCVE-2025-52584: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-46269: CWE-122 Heap-based Buffer Overflow in Ashlar-Vellum Cobalt
HighCVE-2025-54862: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Santesoft Sante PACS Server
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.