Security fixes and updates

This page includes regular updates about recently patched security issues in Rocket.Chat.

Do you want to report a security issue yourself? Please have a look at our Responsible Disclosure Policy. We appreciate your reports.

New issues are listed below, at first without details to give administrators and users sufficient time to upgrade. Details to the issue are added in with the next version release, e.g.: fixes introduced in version x.1 will be added when version x.2 is available.

Please make sure to follow new version updates by subscribing to our newsletters or activating the announcement feature for new releases directly in the Rocket.Chat server administration settings. We recommend updating to the newest version as soon as possible to always have the newest security fixes.


RC-2020-0001 - High Severity issue fixed at 2020-07-25 Rocket.Chat Server - affects 3.4.x, fixed on 3.5 and 3.4.2 (RCE) Fixed an issue where thread starting messages could be used to insert and execute code. Thanks to Pawel Wylecial of REDTEAM.PL‚Äč

Edit on GitHub