Cross-Room Data Exposure via Query Parameter Injection #39452
Description
Issue: P0 - Cross-Room Data Exposure via Query Parameter Injection
Severity: Critical (P0)
Description
When the legacy unsafe query mode is enabled (ALLOW_UNSAFE_QUERY_AND_FIELDS_API_PARAMS=TRUE), user-supplied query parameters can override enforced room ID (rid) filters in API endpoints. This allows any authenticated user to access messages and files from rooms they don't have access to.
Vulnerable Code Locations
apps/meteor/app/api/server/v1/im.ts- Lines 337, 508, 562apps/meteor/app/api/server/v1/channels.ts- Lines 307, 825apps/meteor/app/api/server/v1/groups.ts- Lines 405, 791
Attack Vector
- Attacker enables ALLOW_UNSAFE_QUERY_AND_FIELDS_API_PARAMS (admin setting)
- Makes API request to /im.messages, /channels.messages, etc.
- Provides custom query:
{"rid": "target-room-id", "otherFilter": "value"} - Server merges query with server constraints:
{...query, rid: allowed_room_id} - Due to JavaScript spread order, user's rid OVERRIDES server's rid
- Attacker gains access to target room's data
Expected Behavior
Server-enforced room constraints (rid) should ALWAYS take precedence and cannot be overridden by user-supplied query parameters.
Fix Applied
- Filter out protected keys (rid) from user query before merging
- Apply consistently across all affected endpoints