Description:

The current implementation of triggerHandler.ts fetches webhook responses without a size limit. Node.js attempts to buffer the entire response body into memory (using res.text()).

If an integration endpoint returns a large response (e.g., >2GB file, infinite stream, or compromised server), the Node.js process runs out of heap memory and terminates.
This can be triggered by:

• A misconfigured integration URL pointing to a large file.
• A compromised external integration server.
• An Infinite data stream from an external source.

Steps to reproduce:

1. Create an Outgoing Webhook integration.
2. Point the URL to an endpoint that serves a very large file or infinite stream or larger than the available Node.js heap memory, typically >2GB
3. Trigger the webhook like by sending a message or uploading a file.
4. Observe the Rocket.Chat server terminal.

Expected behavior:

The server should enforce a reasonable limit on the response size like 20MB and abort the request if the limit is exceeded, logging an error instead of crashing.

Actual behavior:

The Node.js process consumes all available memory buffering the response and crashes with

Server Setup Information:

• Version of Rocket.Chat Server: 8.2.0-develop
• Operating System: Linux
• NodeJS Version: 22.18.0

Additional context

The fix involves adding the size option to the fetch call in apps/meteor/app/integrations/server/lib/triggerHandler.ts

Relevant logs: