CVE-2025-7974 LOW

CVE-2025-7974: rocket.chat Incorrect Authorization Information Disclosure Vulnerability

Vendor Rocket.chat

Product rocket.chat

Weakness CWE-863 · Incorrect authorization

Published September 2, 2025

Last update September 3, 2025

View on NVD All CVEs

CVSS base score

3.7/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

rocket.chat Incorrect Authorization Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of rocket.chat. Authentication is not required to exploit this vulnerability. The specific flaw exists within the web service, which listens on TCP port 3000 by default. The issue results from incorrect authorization. An attacker can leverage this vulnerability to disclose information in the context of the application. Was ZDI-CAN-26517.

Key dates

02Disclosure timeline

September 2, 2025 CVE published

September 3, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-7974

Related vulnerabilities

CVE-2025-7974: rocket.chat Incorrect Authorization Information Disclosure Vulnerability

01Description

02Disclosure timeline

03References

04Related CVE