Rocket.Chat SSRF in links preview and privilege escalation via misconfigured MongoDB

SSRF - bypassing blacklist

Despite introducing blacklist ( for links preview, it was still possible to provide domain that resolves to prohibited addresses - e.g. by setting your own domain or using service like

Privilege escalation via misconfigured MongoDB

Point your domain to server running redirect.rb and then send a message with proper url to perform attack:

It affects MongoDB with with enabled HTTP interface (--rest argument), although it’s not enabled by default since 1.4.