Rocket.Chat NoSQL Injection Vulnerability in Authentication Service

A NoSQL injection vulnerability has been identified in Rocket.Chat's account service within the ddp-streamer microservice. This vulnerability, present in versions prior to 7.10.8, 7.11.5, 7.12.5, 7.13.4, 8.0.2, 8.1.1, and 8.2.0, allows unauthenticated attackers to manipulate MongoDB queries during the username-based login process. User input is directly inserted into a MongoDB query selector without proper validation, enabling attackers to inject MongoDB operator expressions, such as regular expressions, to match unintended user records. The issue arises because the username parameter is used in a database query without type or content validation, creating a potential for unauthorized access by exploiting the injection flaw.

Impact

Exploitation of this vulnerability could lead to unauthorized logins by manipulating the MongoDB query to bypass normal authentication checks, especially when combined with another identified vulnerability in Rocket.Chat.

Remediation

Users are advised to validate the username parameter as a primitive string before incorporating it into database queries. Alternatively, parameterized queries should be used when possible.