All users are advised to upgrade Rocket.Chat Server to 0.57.4, 0.58.4, 0.59.0 or greater.

Rocket.Chat Server version 0.58.3, 0.57.3 and prior versions are vulnerable to a NoSQL injection which can lead to an administrator account takeover.

Thank you to Steeve Barbeau for identifying and reporting the vulnerability. The details of the vulnerability will be shared in a future update.

If you have any questions, concerns or require advice please contact security@rocket.chat or chat to us on https://open.rocket.chat/channel/support.

Nick van den Berg