Rocket.Chat's CAS login handler prior to the fixed versions forwards the client-supplied options.cas.credentialToken directly into a MongoDB findOne({_id: ...}) query without runtime type checking. Because TypeScript's string annotations are erased at runtime, an attacker can supply a MongoDB query operator (e.g., {$gt: ""}, {$ne: null}) instead of a string token. This operator matches the first unexpired document in the credential_tokens collection, bypassing the CAS ticket validation. When a legitimate CAS or SAML SSO login is in progress, the attacker can then perform a DDP login call that matches the same credential-token document, receiving a full Meteor authentication token bound to the victim's user ID. This token grants access to the full REST and DDP API surfaces as the victim user. If the victim is an administrator, the attacker can escalate to full instance compromise by installing Apps-Engine apps. The issue is fixed in versions 7.10.11, 7.13.7, 8.0.5, 8.1.4, 8.2.3, 8.3.3, 8.4.1, and 8.5.0.

An unauthenticated attacker can bypass CAS ticket validation and authenticate as any user, including administrators, without valid credentials. This leads to full compromise of the Rocket.Chat instance, allowing unauthorized access to all REST and DDP APIs and potential installation of malicious apps via the Apps-Engine. The vulnerability severely impacts confidentiality and integrity but does not affect availability.

A fix is available in Rocket.Chat versions 7.10.11, 7.13.7, 8.0.5, 8.1.4, 8.2.3, 8.3.3, 8.4.1, and 8.5.0. Users should upgrade to one of these versions or later to remediate this vulnerability. Patch status is confirmed by the vendor advisory. No alternative mitigations are specified.