Impact
A malicious actor can permanently delete any uploaded file by ID from a Rocket.Chat instance if the deleteFileMessage Meteor method is accessed through an unauthenticated DDP WebSocket. The method performs no authentication check when Meteor.userId() returns null, allowing the deletion routine to execute unconditionally. This flaw results in data loss rather than exposure, but the loss of critical or sensitive files can disrupt operations and destroy audit trails. The weakness is rooted in improper authentication, classified as CWE-287.
Affected Systems
Rocket.Chat, specifically all releases prior to 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, 7.13.9 and 7.10.13. Any instance running these versions is vulnerable to the unauthenticated deletion path.
Risk and Exploitability
The CVSS v3.1 score of 7.5 indicates a high severity, yet the EPSS score falls below 1%, suggesting a low likelihood of exploitation in the near term. The vulnerability is not listed in the CISA KEV catalog. An attacker can trigger the deletion by issuing a deleteFileMessage command over a public DDP WebSocket connection; file identifiers are exposed in public message payloads and download URLs, making them discoverable by non‑authenticated users. Once the command is sent, the file is permanently removed from both storage and the database without any further checks.
OpenCVE Enrichment