Login Sign Up

CVE-2021-22911

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2021-22911 is an improper input sanitization vulnerability in Rocket.Chat that allows unauthenticated attackers to perform NoSQL injection attacks. This can lead to remote code execution on affected servers. Organizations running vulnerable Rocket.Chat versions 3.11-3.13 are at risk.

💻 Affected Systems

Products:
  • Rocket.Chat
Versions: 3.11, 3.12, 3.13
Operating Systems: All platforms running Rocket.Chat
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments of affected versions are vulnerable regardless of configuration.

📦 What is this software?

Rocket.chat by Rocket.chat

View all CVEs affecting Rocket.chat →

Rocket.chat by Rocket.chat

View all CVEs affecting Rocket.chat →

Rocket.chat by Rocket.chat

View all CVEs affecting Rocket.chat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server compromise allowing attackers to execute arbitrary code, access sensitive data, and pivot to other systems.

🟠

Likely Case

Unauthenticated attackers gain remote code execution, potentially leading to data theft, ransomware deployment, or botnet recruitment.

🟢

If Mitigated

Attack attempts are blocked at network perimeter or detected before successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Multiple public exploit scripts and detailed technical analysis available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.13.1 and later

Vendor Advisory: https://github.com/RocketChat/Rocket.Chat/releases/tag/3.13.1

Restart Required: Yes

Instructions:

1. Backup your Rocket.Chat instance and database. 2. Update to Rocket.Chat 3.13.1 or later using your package manager or deployment method. 3. Restart the Rocket.Chat service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Network Access Restriction

linux

Restrict access to Rocket.Chat server to trusted IP addresses only

iptables -A INPUT -p tcp --dport 3000 -s TRUSTED_IP -j ACCEPT
iptables -A INPUT -p tcp --dport 3000 -j DROP

🧯 If You Can't Patch

  • Implement strict network segmentation and firewall rules to limit access to Rocket.Chat server
  • Deploy a web application firewall (WAF) with NoSQL injection protection rules

🔍 How to Verify

Check if Vulnerable:

Check Rocket.Chat version via admin panel or by examining package version

Check Version:

rocketchatctl version or check package manager (apt list --installed | grep rocketchat)

Verify Fix Applied:

Confirm version is 3.13.1 or higher and test with known exploit payloads

📡 Detection & Monitoring

Log Indicators:

  • Unusual MongoDB queries in logs
  • Unexpected process execution
  • Authentication bypass attempts

Network Indicators:

  • Suspicious HTTP POST requests to Rocket.Chat endpoints with NoSQL operators
  • Outbound connections from Rocket.Chat server to unknown destinations

SIEM Query:

source="rocketchat.log" AND ("$ne" OR "$regex" OR "$where")

📊 Metadata

CVE ID: CVE-2021-22911
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-75
Published: May 27, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-22911, you might also want to check these:

CVE-2021-22910 9.8

A NoSQL injection vulnerability in Rocket.Chat server allows attackers to execute arbitrary database...

Same vulnerability type (CWE-75)
CVE-2025-50213 9.8

This CVE describes a SQL injection vulnerability in Apache Airflow's Snowflake provider where unsani...

Same vulnerability type (CWE-75)
CVE-2024-35373 9.8

Mocodo Online versions 4.2.6 and below contain a remote code execution vulnerability in the rewrite....

Same vulnerability type (CWE-75)