Rocket.Chat AutoTranslate DDP Method Message Exposure Vulnerability

A vulnerability exists in the Rocket.Chat DDP method 'autoTranslate.translateMessage' in versions prior to 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.5, 7.13.8, and 7.10.12. This vulnerability allows any authenticated DDP user to read private messages from any room, including private channels, direct messages, and end-to-end encrypted rooms. The issue arises because the method accepts a client-supplied IMessage object and passes it directly to 'translateMessage()' without validating the user's identity or room membership.

Impact

Exploitation of this vulnerability allows unauthorized access to private messages from any room, bypassing authentication and room access checks.

Remediation

Users can update to Rocket.Chat versions 8.5.0, 8.4.2, 8.3.4, 8.2.4, 8.1.5, 8.0.5, 7.13.8, or 7.10.12 to address this vulnerability.