CVE-2025-7974

EUVD-2025-26448

02.09.2025, 20:15

rocket.chat Incorrect Authorization Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of rocket.chat. Authentication is not required to exploit this vulnerability.

The specific flaw exists within the web service, which listens on TCP port 3000 by default. The issue results from incorrect authorization. An attacker can leverage this vulnerability to disclose information in the context of the application. Was ZDI-CAN-26517.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
zdi	CNA	3.7 LOW				CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: 17%

Affected Products (NVD)

Vendor	Product	Version
rocket.chat	rocket.chat	7.4.0 ≤ 𝑥 < 7.4.4
rocket.chat	rocket.chat	7.5.0 ≤ 𝑥 < 7.5.3
rocket.chat	rocket.chat	7.6.0 ≤ 𝑥 < 7.6.4
rocket.chat	rocket.chat	7.7.0 ≤ 𝑥 < 7.7.2
rocket.chat	rocket.chat	7.7.2 < 𝑥 < 7.8.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-863 - Incorrect Authorization
The software performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

References

https://www.zerodayinitiative.com/advisories/ZDI-25-627/