CVE-2021-22911

CRITICALNVD 9.89.8—Trending — 4 sources updated this weekWeaponized

9.8

A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting potentially in RCE.

CVSS v3: 9.8
EG Score: 9.8(high)
EPSS: 99.7%
KEV: Not listed

Published

May 27, 2021

Last Modified

November 21, 2024

Advisory Details (2)

Auto-updated May 26, 2026

Patch available.

generic

HackerOne

https://hackerone.com/reports/1130721

generic Patch Available

NoSQL Injections in Rocket.Chat 3.12.1: How A Small Leak Grounds A Rocket | Sonar

https://blog.sonarsource.com/nosql-injections-in-rocket-chat

Weakness Classification(2)

MITRE Common Weakness Enumeration — the root-cause categories this CVE belongs to.

Data Freshness Timeline

(refreshed 8× in last 7d / 8× in last 30d)

Every time one of our enrichment pipelines (NVD, MITRE cvelistV5, EPSS, CISA KEV, GHSA, OSV, vendor advisories) ran against this CVE. Most recent first.

2026-05-29 13:42 UTCepss_batch
2026-05-28 13:43 UTCepss_batch
2026-05-28 13:43 UTCepss_batch
2026-05-26 16:00 UTCEG score recompute
2026-05-26 16:00 UTCGHSA enrichment
2026-05-26 07:17 UTCepss_batch
2026-05-26 07:17 UTCepss_batch
2026-05-25 07:07 UTCOSV refresh

Publicly available exploits

(5 references)

Working exploit code is in the public domain (2 GitHub PoCs) (2 Exploit-DB entries). Defenders should treat patch urgency accordingly — public PoCs typically lead to mass-exploitation within 24-72 hours.

GitHub PoCoptionalCTF/Rocket.Chat-Automated-Account-Takeover-RCE-CVE-2021-22911
First seen Jul 30, 2021
Full unauthenticated RCE proof of concept for Rocket.Chat 3.12.1 CVE-2021-22911
Open source ↗
Exploit-DBEDB-50108✓ verified
First seen Jul 7, 2021
Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2)
Open source ↗
Exploit-DBEDB-49960✓ verified
First seen Jun 7, 2021
Rocket.Chat 3.12.1 - NoSQL Injection (Unauthenticated)
Open source ↗
GitHub PoCCsEnox/CVE-2021-22911
First seen Jun 5, 2021
Pre-Auth Blind NoSQL Injection leading to Remote Code Execution in Rocket Chat 3.12.1
Open source ↗
Nucleihttp/cves/2021/CVE-2021-22911.yaml
First seen Jan 1, 2021
Rocket.Chat <=3.13 - NoSQL Injection
Open source ↗

Frequently asked(5)

What is CVE-2021-22911?

CVE-2021-22911 is a critical vulnerability published on May 27, 2021. A improper input sanitization vulnerability exists in Rocket.Chat server 3.11, 3.12 & 3.13 that could lead to unauthenticated NoSQL injection, resulting potentially in RCE.

When was CVE-2021-22911 disclosed?

CVE-2021-22911 was first published in the National Vulnerability Database on May 27, 2021, with the most recent update on November 21, 2024. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.

Is CVE-2021-22911 actively exploited?

CVE-2021-22911 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 99.7% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.

What is the CVSS score of CVE-2021-22911?

CVE-2021-22911 has a CVSS v3 base score of 9.8 (NVD).

How do I remediate CVE-2021-22911?

Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2021-22911, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2021-22911

Explore →

Is Your Infrastructure Affected by CVE-2021-22911?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.

Start Free Scan →Browse All CVEs

CVE-2021-22911

📅 Published

🔄 Last Modified

📋 Advisory Details (2)