CVE-2022-32228 is an information disclosure vulnerability affecting Rocket.Chat versions prior to 4.7.5, 4.8.2, and 5.0.0. The root cause lies in the getReadReceipts Meteor server method, which fails to properly sanitize user inputs before incorporating them into MongoDB queries. Specifically, the vulnerability allows an attacker to use crafted $regex queries to enumerate arbitrary Message IDs stored in the database. This improper input filtering enables attackers with at least limited privileges (PR:L) to perform unauthorized data enumeration, potentially exposing message metadata or identifiers that should remain confidential. The vulnerability does not require user interaction and can be exploited remotely over the network (AV:N). The CVSS v3.1 base score is 4.3 (medium severity), reflecting limited confidentiality impact without affecting integrity or availability. No known exploits are reported in the wild, but the flaw represents a vector for information leakage that could aid further targeted attacks or reconnaissance within affected Rocket.Chat deployments.

For European organizations using vulnerable Rocket.Chat versions, this vulnerability could lead to unauthorized disclosure of message identifiers and related metadata. While the direct confidentiality impact is limited (no message content leakage is explicitly stated), the ability to enumerate message IDs can facilitate further attacks such as targeted phishing, social engineering, or privilege escalation attempts. Organizations relying on Rocket.Chat for internal communications, especially those handling sensitive or regulated data, may face increased risk of information exposure. This could undermine trust in communication confidentiality and potentially violate data protection regulations like GDPR if personal data is indirectly exposed. The vulnerability does not affect system integrity or availability, so operational disruption risk is low. However, the information leakage could be leveraged by threat actors to map communication patterns or identify high-value targets within European enterprises or government entities.

European organizations should promptly upgrade Rocket.Chat to versions 4.7.5, 4.8.2, or 5.0.0 or later, where this vulnerability is fixed. Until patching is complete, administrators should restrict access to the getReadReceipts Meteor server method by enforcing strict authentication and authorization controls, limiting which users can invoke this method. Network-level controls such as firewall rules or VPN requirements can reduce exposure by limiting access to Rocket.Chat servers. Monitoring and logging of unusual query patterns or excessive use of $regex queries against the database should be implemented to detect potential exploitation attempts. Additionally, organizations should review their Rocket.Chat configurations to disable or restrict features that expose message metadata unnecessarily. Conducting internal audits to identify any suspicious enumeration activity and educating users about potential phishing risks arising from leaked metadata can further reduce impact.