8.4.1 - 2 critical CVEs

[liorkesos]

Thanks for release 8.4.1 - It has minimized many of the critical security issues.
To pass acceptance with my customer POC, we are required to reach a "no critical CVEs" state.
Currently 8.4.1 has two critical issues - CVE-2025-68121 and CVE-2026-22863
Hope this is addressed promptly so we can qualify and progress with the POC

[ayyagarisujanreddy123]

Working on it!

[ayyagarisujanreddy123]

I did some digging into this and wanted to share findings that may help triage.

CVE-2025-68121 (Go crypto/tls) — This is a real vulnerability in Go's standard library, but Rocket.Chat does not ship any Go code. There are zero go.mod files, no golang base images in the Dockerfiles, and no setup-go actions in CI. This CVE is most likely surfacing in your scanner because of a Go binary bundled in the Docker base image or a transitive container layer — not something resolvable from the Rocket.Chat source tree.

CVE-2026-22863 (Deno node:crypto) — This one does apply. Rocket.Chat uses Deno for the apps-engine sandbox. The current pin in .tool-versions is Deno 2.3.1, which is affected. The fix is Deno ≥ 2.6.0. I'd be happy to open a PR bumping .tool-versions to 2.6.0 if the maintainers confirm that's welcome.

One additional note: apps/meteor/.docker/Dockerfile.debian still has ARG DENO_VERSION="1.37.1", which appears to be a stale pin from before the apps-engine v2 cutover. CI reads the Deno version from .tool-versions via awk, so this Dockerfile ARG likely only takes effect when DENO_VERSION is unset at compose time. A 1.x → 2.x bump there carries breaking-change risk and probably warrants separate discussion.

TL;DR: CVE-2025-68121 is not actionable in this repo. CVE-2026-22863 is fixable by bumping .tool-versions from Deno 2.3.1 → 2.6.0. Happy to submit a PR for that if it would be helpful.

[reetp]

we are required to reach a "no critical CVEs" state.

Today? Perhaps but what about something discovered tomorrow, or the day after, or the day after that?

What happens if your customer buys, and in a week you find a critical CVE?

No one can promise 100% bug free code 24/7.

I think you ought to consider your contractual obligations :-)

CE/Open source is also at your own risk with no support or guarantees. I'd look at an Enterprise subscription where you get proper support.

[liorkesos]

Sometimes big enterprise policies defy logic and practical reasoning - after clearing the initial sequirity gate, typically you have a monthly patch sunday or other cadence to maintain the security posture and patch level - with yearly more serious audits

[reetp]

Sometimes big enterprise policies defy logic and practical reasoning

Yup......

Also see my comment about licences.

You have an opportunity to push issues if you are paying.

With CE/Starter etc you are in the lap of the gods.