CVE-2023-23917

8.8 HIGH

Remote Code Execution

📋 TL;DR

A prototype pollution vulnerability in Rocket.Chat server versions below 5.2.0 allows attackers to achieve remote code execution (RCE) under admin privileges. This affects both cloud infrastructure (where users can create their own servers) and self-hosted instances. The vulnerability can escalate XSS attacks to RCE, significantly increasing the impact.

💻 Affected Systems

Products:

• Rocket.Chat

Versions: All versions < 5.2.0

Operating Systems: All platforms running Rocket.Chat

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both cloud and self-hosted deployments. Cloud infrastructure is particularly vulnerable due to user ability to create servers.

📦 What is this software?

Rocket.chat by Rocket.chat

View all CVEs affecting Rocket.chat →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of Rocket.Chat server with admin-level RCE, potentially leading to lateral movement, data exfiltration, and full system control.

🟠

Likely Case

Unauthorized admin access leading to data theft, privilege escalation, and potential RCE on vulnerable instances.

🟢

If Mitigated

Limited impact with proper network segmentation, admin account protection, and monitoring in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires user access but can lead to admin privileges and RCE. Prototype pollution can be chained with XSS for increased impact.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.0 and later

Vendor Advisory: https://github.com/RocketChat/Rocket.Chat/releases/tag/5.2.0

Restart Required: Yes

Instructions:

1. Backup your Rocket.Chat instance and database. 2. Update to Rocket.Chat version 5.2.0 or later. 3. Restart the Rocket.Chat service. 4. Verify the update was successful.

🔧 Temporary Workarounds

Restrict User Server Creation

all

Disable ability for users to create their own servers in cloud deployments

Network Segmentation

all

Isolate Rocket.Chat servers from critical infrastructure

🧯 If You Can't Patch

• Implement strict input validation and sanitization for user-controlled data
• Monitor for unusual admin account activity and prototype pollution attempts

🔍 How to Verify

Check if Vulnerable:

Copy

Check Rocket.Chat version via admin panel or by running: rocket.chat --version

Check Version:

Copy

rocket.chat --version

Verify Fix Applied:

Copy

Confirm version is 5.2.0 or higher and test prototype pollution vectors are blocked

📡 Detection & Monitoring

Log Indicators:

• Unusual admin account activity
• Prototype pollution attempts in request logs
• Unexpected server creation events

Network Indicators:

• Suspicious payloads in HTTP requests to Rocket.Chat endpoints
• Unusual outbound connections from Rocket.Chat server

SIEM Query:

Copy

source="rocketchat" AND (event="admin_login" OR event="server_create" OR message="*prototype*" OR message="*__proto__*")

📊 Metadata

CVE ID: CVE-2023-23917

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-77

Published: February 23, 2023

Last Updated: March 12, 2025

🔗 References

• https://hackerone.com/reports/1631258 Permissions Required
• https://hackerone.com/reports/1631258 Permissions Required

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-23917, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)

CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)

CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)