Cyber Resilience

CVE-2022-44567

CriticalRCE

Published: 23 December 2022

Published
23 December 2022
Modified
15 April 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0588 90.8th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-44567 is a critical-severity OS Command Injection (CWE-78) vulnerability in Rocket.Chat Rocket.Chat. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

A command injection vulnerability affects Rocket.Chat-Desktop versions prior to 3.8.14. An attacker can supply a malicious URL to the openInternalVideoChatWindow function, which passes it directly to shell.openExternal in internalVideoChatWindow.ts. This occurs because the function is exposed through the Rocket.Chat-Desktop API and can be reached when the internal video chat window is disabled or when a Mac App Store build is in use.

The flaw can be triggered remotely via cross-site scripting or other means that invoke the exposed API. Successful exploitation grants the attacker remote code execution on the affected desktop client with no authentication or user interaction required, corresponding to the CVSS 9.8 rating and CWE-78 classification.

Public references consist of HackerOne reports that document the issue and the conditions needed for exploitation. The associated EPSS score has remained flat at 0.0588 with no material increase since disclosure.

EU & UK References

Vulnerability details

A command injection vulnerability exists in Rocket.Chat-Desktop <3.8.14 that could allow an attacker to pass a malicious url of openInternalVideoChatWindow to shell.openExternal(), which may lead to remote code execution (internalVideoChatWindow.ts#L17). To exploit the vulnerability, the internal video chat window must…

more

be disabled or a Mac App Store build must be used (internalVideoChatWindow.ts#L14). The vulnerability may be exploited by an XSS attack because the function openInternalVideoChatWindow is exposed in the Rocket.Chat-Desktop-API.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

rocket.chat
rocket.chat
≤ 3.8.14

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References