fix: limit outgoing webhook response size and add changeset

Khizarshah01 · Khizarshah01 · commit 3108c1d570b8 · 2026-02-21T02:42:44.000+05:30
diff --git a/.changeset/shiny-pears-admire.md b/.changeset/shiny-pears-admire.md
@@ -0,0 +1,7 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Fix: Limit outgoing webhook response size to 10MB to prevent memory exhaustion
+
+Added a 10MB size limit to outgoing webhook responses to prevent the server from crashing when integrations return unexpectedly large responses.
diff --git a/apps/meteor/app/integrations/server/lib/triggerHandler.ts b/apps/meteor/app/integrations/server/lib/triggerHandler.ts
@@ -621,7 +621,7 @@ class RocketChatIntegrationHandler {
 				...(opts.data && { body: opts.data }),
 				// SECURITY: Integrations can only be configured by users with enough privileges. It's ok to disable this check here.
 				ignoreSsrfValidation: true,
-				size: 20 * 1024 * 1024,
+				size: 10 * 1024 * 1024,
 			},
 			settings.get('Allow_Invalid_SelfSigned_Certs'),
 		)

Original file line number	Diff line number	Diff line change
`@@ -621,7 +621,7 @@ class RocketChatIntegrationHandler {`
`621`	`621`	`...(opts.data && { body: opts.data }),`
`622`	`622`	`// SECURITY: Integrations can only be configured by users with enough privileges. It's ok to disable this check here.`
`623`	`623`	`ignoreSsrfValidation: true,`
`624`		`- size: 20 * 1024 * 1024,`
	`624`	`+ size: 10 * 1024 * 1024,`
`625`	`625`	`},`
`626`	`626`	`settings.get('Allow_Invalid_SelfSigned_Certs'),`
`627`	`627`	`)`