github RocketChat/Rocket.Chat 8.2.0
on GitHub

6 hours ago

Summary

What's new

This release focuses on security, stability, and usability improvements. SSRF protection was strengthened by moving URL validation into the server-fetch package with built-in safeguards like internal IP blocking, DNS rebinding protection, stricter redirect handling, and optional safe overrides, plus a new workspace allowlist for specific domains, IPs, and ports. The minimum supported MongoDB version was raised to 8.0 to improve the support matrix's stability. Federation now includes an added validation layer that restricts usage to users with verified emails matching the configured domain. OpenAPI documentation generation was improved to correctly handle multiple HTTP methods under the same endpoint path. Apps-Engine now supports multiple file uploads, a new uploads.delete endpoint allows individual file deletion, and username formatting across the UI has been standardized to consistently include an @ prefix.

Bug fixes

The release also delivers a broad set of reliability and security fixes. It resolves a persistent “Enterprise plan active” pop-up caused by a failing API request, ensures chat routing respects agent limits in microservices deployments, and adds a MongoDB TTL index to automatically expire statistics after one year to control storage growth. Several Apps-Engine issues were addressed, including lost logs in nested requests and broken dynamic route parameters. Multiple API fixes improve correctness and security, such as proper handling of sort parameters, JSON payload parsing in webhooks, stricter query validation, correct schema validation for livechat custom fields, and preventing messages from being sent to archived rooms. End-to-end encryption issues were fixed, including subscription decryption, discussion creation in encrypted channels, and proper cleanup of attachments when encrypted messages are deleted. Additional security patches prevent exposure of sensitive fields in users.updateOwnBasicInfo, enforce 2FA and account status checks in the Enterprise DDP Streamer login flow, block video calls in read-only channels, and apply rate limits to verification email resends to prevent abuse. Finally, outgoing integrations now correctly accept and save retry count values.

For further details, check out the release notes.

Engine versions

  • Node: 22.16.0
  • Deno: 1.43.5
  • MongoDB: 8.0
  • Apps-Engine: 1.60.0

Minor Changes

  • (#38099) Adds file metadata to the Apps.Engine for messages with multiple files

  • (#38173) Adds a new endpoint to delete uploaded files individually

  • (#38356) Creates a new setting with an extra layer of validation to restrict the usage of federation to only users with a validated email address that matches the configured federation domain.

  • (#38044) Adds configurable SSRF validation for HTTP calls made from server

  • (#38532) Standardizes the display of username with @ before

Patch Changes

  • Bump @rocket.chat/meteor version.

  • Bump @rocket.chat/meteor version.

  • Bump @rocket.chat/meteor version.

  • (#38374) Fixes an issue where apps logs were being lost in nested requests

  • (#38283) Fixes an issue with encrypted room's message previews on the sidebar not always being properly decrypted

  • (#37776) Prevents over-assignment of omnichannel agents beyond their max chats limit in microservices deployments by serializing agent assignment with explicit user-level locking.

  • (#35971 by @JASIM0021) Fixes an issue where the Resend Verification Email could be abused to spam mail servers

  • (#38653 by @copilot-swe-agent) Fixes an issue where messages could be sent to archived rooms via the API

  • (#38794 by @copilot-swe-agent) Fixes preview generation for vendor-specific image formats like .dwg (AutoCAD) files. Files with MIME types such as image/vnd.dwg and image/vnd.microsoft.icon are now excluded from preview generation as they cannot be processed by the Sharp image library, preventing failed preview attempts.

  • (#38796 by @copilot-swe-agent) Fixes an issue where regular users could start video conference calls in read-only channels bypassing message restrictions

  • (#38379) Fixes association of encrypted messages and encrypted files, so that if one of them is removed, the other gets removed as well.

  • (#38616) Fixes device management logout not redirecting to login page.

  • (#37356 by @MrKalyanKing) Fixes issue that caused Outgoing Webhook Retry Count to not be a number

  • (#38491) Fixes an issue where the camera could stay on after closing the video recording modal.

  • (#38267) Fixes an issue where web clients could remain with a stale slashcommand list during a rolling workspace update

  • (#38319) Fixes incoming webhook integrations not receiving parsed JSON from x-www-form-urlencoded payload field.

  • (#38579 by @ScriptShah) Fixes an issue where managers table loading skeleton column mismatch with headers

  • (#38318) Fixes room header toolbar different spacing on Options menu

  • (#38366) Fixes the sort parameter validation on /api/v1/audit.settings endpoint to accept string format.

  • (#38279) Fixes issue when trying to create an unencrypted discussion when a parent channel is encrypted

  • (#38262) Fixes an issue with the sidebar message preview (extended layout) showing undefined when the message has no previewable content

  • (#38282) Fixes dismissed banner popups reappearing after server restart.

  • (#38292) Fixes room message export to correctly handle messages with multiple files.

  • (#38376) Fix a validation issue in the livechat/custom-fields.save endpoint

  • (#38415) Fixes delete message permission check in read-only rooms to validate the deleting user's unmuted status instead of the message sender's

  • (#38265) Fixes endpoints omnichannel/contacts.update and omnichannel/contacts.conflicts where the contact manager field could not be cleared.

  • (#38596) Adjusts the minimum supported MongoDB version from 8.2 (Rapid Release with short support lifecycle) to 8, ensuring stable and long-term compatibility

  • (#38568) Adds automatic cleanup of statistics collection with 1-year retention via TTL index.

  • Updated dependencies [bbc1489, 1182145, d3758a7, 398fca0, 098f0a7, fbc4935, e57f158, 11e1c51, 88da141, 1c47458, 75d089c, a75e1f1, 3b003e6, 87faec1, d6ef0db, 508b4a1, 379c2b2, 562d5ce, 123aebe]:
    • @rocket.chat/apps-engine@1.60.0
    • @rocket.chat/model-typings@2.1.0
    • @rocket.chat/core-typings@8.2.0
    • @rocket.chat/models@2.1.0
    • @rocket.chat/message-parser@0.31.34
    • @rocket.chat/core-services@0.13.0
    • @rocket.chat/i18n@2.1.0
    • @rocket.chat/rest-typings@8.2.0
    • @rocket.chat/http-router@7.9.18
    • @rocket.chat/ui-voip@18.0.0
    • @rocket.chat/server-fetch@0.1.0
    • @rocket.chat/federation-matrix@0.0.13
    • @rocket.chat/presence@0.2.51
    • @rocket.chat/apps@0.6.4
    • @rocket.chat/fuselage-ui-kit@28.0.0
    • @rocket.chat/omnichannel-services@0.3.48
    • @rocket.chat/abac@0.1.4
    • @rocket.chat/license@1.1.11
    • @rocket.chat/media-calls@0.2.4
    • @rocket.chat/pdf-worker@0.3.30
    • @rocket.chat/api-client@0.2.51
    • @rocket.chat/cron@0.1.51
    • @rocket.chat/gazzodown@28.0.0
    • @rocket.chat/message-types@0.1.0
    • @rocket.chat/ui-avatar@24.0.0
    • @rocket.chat/ui-client@28.0.0
    • @rocket.chat/ui-contexts@28.0.0
    • @rocket.chat/web-ui-registration@28.0.0
    • @rocket.chat/omni-core-ee@0.0.16
    • @rocket.chat/instance-status@0.1.51
    • @rocket.chat/omni-core@0.0.16
    • @rocket.chat/network-broker@0.2.30
    • @rocket.chat/server-cloud-communication@0.0.2
    • @rocket.chat/ui-theming@0.4.4
    • @rocket.chat/ui-video-conf@28.0.0
Check out latest releases or
releases around RocketChat/Rocket.Chat 8.2.0

Don't miss a new Rocket.Chat release

NewReleases is sending notifications on new releases.

Get notifications