Rocket.Chat

Recent Changes

• Update Rocket.Chat to 8.2.1

• Full Changelog

• (#​39508 by @​dionisio-bot) Security Hotfix (https://docs.rocket.chat/docs/security-fixes-and-updates)

• (#​39517 by @​dionisio-bot) Fixes ssrf validation for oauth endpoints, which allows internal endpoints to be used during the auth flow.

• This release focuses on security, stability, and usability improvements.

• SSRF protection was strengthened by moving URL validation into the server-fetch package with built-in safeguards like internal IP blocking, DNS rebinding protection, stricter redirect handling, and optional safe overrides, plus a new workspace allowlist for specific domains, IPs, and ports.

• The minimum supported MongoDB version was raised to 8.0 to improve the support matrix's stability.

• Federation now includes an added validation layer that restricts usage to users with verified emails matching the configured domain.

• OpenAPI documentation generation was improved to correctly handle multiple HTTP methods under the same endpoint path.

• Apps-Engine now supports multiple file uploads, a new uploads.delete endpoint allows individual file deletion, and username formatting across the UI has been standardized to consistently include an @​ prefix.

• The release also delivers a broad set of reliability and security fixes. It resolves a persistent Enterprise plan active pop-up caused by a failing API request, ensures chat routing respects agent limits in microservices deployments, and adds a MongoDB TTL index to automatically expire statistics after one year to control storage growth.

• Several Apps-Engine issues were addressed, including lost logs in nested requests and broken dynamic route parameters.