Task 1 of 6

How Rocket.Chat Got Hacked Without a Single Correct Password

In March 2021, security researchers disclosed a critical vulnerability in Rocket.Chat — an open-source messaging platform used by thousands of companies including government agencies, banks, and tech firms as a self-hosted Slack alternative.

CVE-2021-22911 — THE ATTACK CHAIN
Step 1 Attacker visits the "Forgot Password" page — no account needed
Step 2 Instead of typing an email address, attacker sends a MongoDB operator in the request
Step 3 The server passes this input directly into a MongoDB query without sanitising it
Step 4 MongoDB interprets the operator — matches any user — attacker receives a reset token for any account
Step 5 Attacker resets the admin password and takes full control of the server

The vulnerability was rated CVSS 9.8 — Critical. All Rocket.Chat installations before version 3.11.2 were affected. This wasn't a fringe product — Rocket.Chat had over 12 million users at the time of disclosure.

What made it possible?

The server was built on MongoDB — a NoSQL database used by Airbnb, eBay, Forbes, and thousands of startups. Unlike traditional SQL databases, MongoDB uses JSON-like query operators. The developers forgot that a user could send one of those operators as their input, and the database would happily execute it.

WHY THIS IS MORE COMMON THAN YOU THINK
MongoDB is everywhere
It's one of the most popular databases for Node.js, Express, and modern web apps — the exact stack startups and vibe-coded apps are built on.
Developers trust their own input
Many tutorials show db.findOne({ username, password }) without warning that 'password' could be an object containing an operator.
NoSQL injection is underreported
SQL injection is in every security checklist. NoSQL injection is not — so developers don't look for it, and scanners often miss it.
Easy to exploit
No special tools needed. A single modified HTTP request is all it takes.

This module teaches you how it works, why it works, and how to find it yourself — on a real MongoDB database running inside your lab.

1

What was the CVE identifier for the Rocket.Chat NoSQL injection vulnerability?

2

The attacker didn't need a valid account to exploit CVE-2021-22911. Which endpoint were they targeting?

Answer all 2 questions to continue