CVE-2022-35251 in Rocket.Chat
Summary
by MITRE • 09/23/2022
A cross-site scripting vulnerability exists in Rocket.chat <v5 due to style injection in the complete chat window, an adversary is able to manipulate not only the style of it, but will also be able to block functionality as well as hijacking the content of targeted users. Hence the payloads are stored in messages, it is a persistent attack vector, which will trigger as soon as the message gets viewed.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 05/23/2025
The vulnerability identified as CVE-2022-35251 represents a critical cross-site scripting flaw in Rocket.chat versions prior to v5, classified under CWE-79 - Improper Neutralization of Input During Web Page Generation. This weakness allows attackers to inject malicious scripts into the chat interface through style injection techniques that affect the complete chat window rendering. The vulnerability specifically exploits the application's failure to properly sanitize and validate user input when processing chat messages, creating an environment where malicious payloads can be embedded within message content and executed in the context of other users' browsers.
The technical implementation of this vulnerability stems from insufficient input validation and output encoding mechanisms within Rocket.chat's message processing pipeline. When users view chat messages containing malicious style injections, the browser executes the embedded scripts with the privileges of the victim user, potentially allowing attackers to manipulate the chat window's appearance and functionality. This style injection capability extends beyond simple visual manipulation to include complete hijacking of the chat interface, enabling adversaries to block access to chat features and redirect user attention to malicious content. The persistent nature of this attack vector means that malicious payloads are stored within the message database itself, ensuring that every subsequent view of the compromised message triggers the exploit automatically.
The operational impact of CVE-2022-35251 extends far beyond simple user experience degradation, representing a significant threat to organizational security and user privacy. Attackers can leverage this vulnerability to perform session hijacking, steal user credentials, or redirect users to phishing sites while maintaining the illusion of legitimate chat functionality. The persistent nature of the attack means that even after the initial compromise, the malicious code continues to execute whenever the affected messages are viewed, creating a continuous threat vector that can persist for extended periods. This vulnerability directly maps to ATT&CK technique T1531 - Account Access Removal and T1566 - Phishing, as it enables both unauthorized access and social engineering attacks through the chat interface.
Mitigation strategies for this vulnerability require immediate implementation of comprehensive input sanitization and output encoding measures throughout the Rocket.chat application stack. Organizations should implement strict content security policies that prevent execution of inline styles and scripts, while also deploying web application firewalls to detect and block suspicious message content. The recommended remediation involves upgrading to Rocket.chat version 5.0 or later, which includes proper input validation and sanitization mechanisms. Additionally, security teams should implement message content monitoring systems that can identify and quarantine suspicious payloads before they can be stored in the database. Regular security audits of chat applications should include testing for similar style injection vulnerabilities, as this class of weakness often indicates broader input validation deficiencies that could lead to more severe exploitation opportunities.