Impact
Rocket.Chat’s Apple Sign‑In handler, before the fixes in the latest releases, verifies only the JWT signature but neglects essential claims validation, exposing the system to CWE‑287 and CWE‑294 weaknesses. The lack of checks on the token’s audience, expiration, not‑before, and nonce fields means that any Apple‑signed JWT with a non‑empty issuer is accepted. An attacker who obtains a valid Apple identity token for a target user—by extracting it from server logs, intercepting the sign‑in flow, or borrowing a token from another application under the same developer team—can replay that token with no expiration limits and impersonate the user.
Affected Systems
The vulnerability affects Rocket.Chat releases older than 8.5.1, 8.4.4, 8.3.6, 8.2.6, 8.1.6, 8.0.7, and 7.10.13. Updated versions of Rocket.Chat are not impacted.
Risk and Exploitability
The CVSS score of 7.4 indicates a moderate‑to‑high severity for authentication bypass. The EPSS score is not available, so the current exploitation probability is uncertain, but the flaw remains serious because it requires only possession of a valid Apple token and permits replay without expiration constraints. The vulnerability is not listed in the CISA KEV catalog, and the likely attack vector is the manual or automated replay of that token when Apple Sign‑In is enabled.
OpenCVE Enrichment