The ImageElement component in Rocket.Chat, part of the gazzodown rendering package, renders user‑supplied image URLs directly into <a> and <img> tags without sanitizing the protocol. Unlike the LinkSpan component that blocks javascript:, data:, and vbscript: protocols, ImageElement passes the raw URL unchanged. As a result, an authenticated user can post a markdown image containing a javascript: URL. If a recipient clicks the image while using an older browser that permits javascript: URLs in image elements, the embedded JavaScript executes in the victim’s browser session, allowing the attacker to run arbitrary client‑side code with the same privileges as the user. This defect is a form of reflected cross‑site scripting (XSS) and is limited to image rendering; it does not affect link navigation directly.

Open‑source Rocket.Chat, any installation running a version prior to 8.5.0 is affected. The vulnerability exists in the ImageElement part of the gazzodown rendering package; no specific sub‑packages or community editions are excluded.

The CVSS v3 score of 4.4 places it in the moderate severity range. EPSS information is not available, and the vulnerability is not currently documented in the CISA KEV catalog. Exploitation requires an authenticated user to post a crafted markdown image and a victim to click the link, so the attack vector is internal (authenticated) and depends on user interaction. Given the moderate score and the reliance on user action, the practical risk is medium, but vigilance is recommended, especially for organizations that use legacy browsers or allow unrestricted markdown content.