XSS vulnerability - hotfix available for all affected versions

Markus Kirsch
December 18, 2020
min read

Learn more about the newest hotfix provided by Rocket.Chat's Security Team

Dear Rocket.Chat users,

We are providing an important security hotfix for Rocket.Chat server outside of the regular release cycle. This fix fixes a critical vulnerability that allowed Cross-Site-Scripting (XSS) in the message renderer.

We recommend you upgrade your instance as soon as possible, because the vulnerability has already become known and the creation of exploit kits by attackers is very likely.

Available versions: 3.9.3 / 3.8.4 / 3.7.4 / 2.4.14 / 1.3.5


The hotfix will only affect the message renderer. By exploiting the vulnerability, a user on the Rocket.Chat server may be able to elevate his privileges and/or modify messages, e.g. to remove traces of the exploit.

Please check our GitHub repository here (link) for your latest version. Or receive a notification whenever a new version – including hotfixes such as this one – is available by registering your server here (link).

Get started with Rocket.Chat’s secure collaboration platform

Talk to sales

Frequently asked questions about <anything>

Markus Kirsch
Related Article:
Team collaboration: 5 reasons to improve it and 6 ways to master it
Want to collaborate securely with your team?
Deploy Rocket.Chat on-premise or in the cloud and keep your conversations private.
  • Digital sovereignty
  • Federation capabilities
  • Scalable and white-labeled
Talk to sales
Looking for a HIPAA-ready communications platform?
Enable patients and healthcare providers to securely communicate without exposing their data.
  • Highly scalable and secure
  • Full patient conversation history
  • HIPAA-ready
Talk to sales
The #1 communications platform for government
Deploy Rocket.Chat on-premise, in the cloud, or air-gapped environment.
  • Secure data governance and digital sovereignty
  • Trusted by State, Local, and Federal agencies across the world
  • Matrix federation capabilities for cross-agency communication
Talk to sales
Want to customize Rocket.Chat according to your own preferences?
See behind the engine and change the code how you see fit.
  • Open source code
  • Highly secure and scalable
  • Unmatched flexibility
Talk to sales
Looking for a secure collaboration platform?
Keep your conversations private while enjoying a seamless collaboration experience with Rocket.Chat.
  • End-to-end encryption
  • Cloud or on-prem deployment
  • Supports compliance with HIPAA, GDPR, FINRA, and more
Talk to sales
Want to build a highly secure in-app chat experience?
Use Rocket.Chat’s APIs, frameworks, and managed backend to build a secure in-app or live chat experience for your customers.
  • Supports compliance with HIPAA, GDPR, FINRA, and more
  • Highly secure and flexible
  • On-prem or cloud deployment
Talk to sales

Our best content, once a week

Share this on:

Get your free, personalized demo now!

Build the most secure chat experience for your team or customers

Book demo