Rocket.Chat's Apple Sign-In handler in versions before 7.10.13, 8.0.7, 8.1.6, 8.2.6, 8.3.6, 8.4.4, and 8.5.1 verifies JWT signatures but skips validation of critical claims (aud, exp, nbf, nonce). Consequently, any Apple-signed JWT with a non-empty issuer claim is accepted regardless of these claims. An attacker who obtains a target user's Apple identity token—via server logs, intercepted sign-in flows, or other applications sharing the same Apple developer team—can replay the token to authenticate as that user without expiration on the replay window. This constitutes an improper authentication vulnerability (CWE-287) and is addressed in the fixed versions.

An attacker who obtains a valid Apple identity token for a target user can bypass proper authentication checks and gain unauthorized access to that user's Rocket.Chat account. The vulnerability allows indefinite replay of the token due to lack of expiration and claim validation, potentially leading to full compromise of user identity within the affected Rocket.Chat instances. The CVSS 3.1 base score is 7.4 (High), reflecting network attack vector, high impact on confidentiality and integrity, and no required privileges or user interaction.

This vulnerability is fixed in Rocket.Chat versions 7.10.13, 8.0.7, 8.1.6, 8.2.6, 8.3.6, 8.4.4, and 8.5.1. Users and administrators should upgrade to one of these versions or later to remediate the issue. No other mitigation or workaround is indicated in the available data.