CVE-2024-37405
📋 TL;DR
This vulnerability allows attackers to leak livechat messages by chaining two NoSQL injection vulnerabilities in Rocket.Chat's livechat system. The attack can be performed pre-authentication, affecting any Rocket.Chat instance with livechat enabled. Organizations using Rocket.Chat for customer support or internal communications are at risk.
💻 Affected Systems
- Rocket.Chat
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete exposure of all livechat conversations including sensitive customer data, personal information, and potentially credentials or other confidential information exchanged in chat sessions.
Likely Case
Unauthorized access to livechat conversations, potentially exposing customer support interactions, personal data, and business communications.
If Mitigated
Limited exposure if proper input validation and NoSQL injection protections are in place, but still represents a data leakage risk.
🎯 Exploit Status
Requires chaining two NoSQL injections, but detailed exploit information is publicly available on HackerOne. The pre-authentication nature makes exploitation easier.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.4.10, 7.0.4, and 7.1.0
Vendor Advisory: https://github.com/RocketChat/Rocket.Chat/releases
Restart Required: Yes
Instructions:
1. Backup your Rocket.Chat instance and database. 2. Update to version 6.4.10, 7.0.4, or 7.1.0 or later. 3. Restart the Rocket.Chat service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable Livechat Feature
allTemporarily disable the livechat feature if not critically needed
Set 'Livechat_enabled' to false in Rocket.Chat admin settings
Network Access Control
allRestrict access to livechat endpoints to trusted networks only
Configure firewall rules to limit access to /api/v1/livechat endpoints
🧯 If You Can't Patch
- Implement WAF rules to detect and block NoSQL injection patterns in livechat endpoints
- Enable detailed logging for livechat API calls and monitor for unusual query patterns
🔍 How to Verify
Check if Vulnerable:
Check Rocket.Chat version via admin panel or run: meteor --version in Rocket.Chat directory. If version is below 6.4.10, 7.0.4, or 7.1.0 and livechat is enabled, you are vulnerable.Check Version:
meteor --version (in Rocket.Chat directory) or check Admin > Info in web interfaceVerify Fix Applied:
After updating, verify version is 6.4.10, 7.0.4, 7.1.0 or later. Test livechat functionality to ensure it works normally.📡 Detection & Monitoring
Log Indicators:
- Unusual query patterns in livechat:loginByToken or livechat:loadHistory endpoints
- Multiple failed login attempts via livechat token
- Unusual data retrieval patterns from livechat collections
Network Indicators:
- Unusual volume of requests to /api/v1/livechat endpoints
- Requests with malformed JSON or MongoDB query operators in parameters
SIEM Query:
source="rocketchat" AND (endpoint="livechat:loginByToken" OR endpoint="livechat:loadHistory") AND (query CONTAINS "$" OR params CONTAINS "{" OR params CONTAINS "}")