fix: limit omnichannel webhook response size (#38944)

Khizarshah01 · kodiakhq[bot] · KevLehman · ahmed-n-abdeltwab · commit a9bb7e8c1c0d · 2026-02-24T11:06:34.000+02:00
Co-authored-by: kodiakhq[bot] &lt;49736102+kodiakhq[bot]@users.noreply.github.com&gt;
Co-authored-by: Kevin Aleman &lt;kaleman960@gmail.com&gt;
Co-authored-by: Guilherme Gazzo &lt;guilherme@gazzo.xyz&gt;
diff --git a/.changeset/tender-papayas-jam.md b/.changeset/tender-papayas-jam.md
@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Limits Omnichannel webhook maximum response size to 10mb.
diff --git a/apps/meteor/app/livechat/server/api/v1/webhooks.ts b/apps/meteor/app/livechat/server/api/v1/webhooks.ts
@@ -66,6 +66,7 @@ API.v1.addRoute(
 				body: sampleData,
 				// SECURITY: Webhooks can only be configured by users with enough privileges. It's ok to disable this check here.
 				ignoreSsrfValidation: true,
+				size: 10 * 1024 * 1024,
 			} as ExtendedFetchOptions;
 
 			const webhookUrl = settings.get<string>('Livechat_webhookUrl');
diff --git a/apps/meteor/app/livechat/server/lib/webhooks.ts b/apps/meteor/app/livechat/server/lib/webhooks.ts
@@ -29,6 +29,7 @@ export async function sendRequest(
 			timeout,
 			// SECURITY: Webhooks can only be configured by users with enough privileges. It's ok to disable this check here.
 			ignoreSsrfValidation: true,
+			size: 10 * 1024 * 1024,
 		});
 
 		if (result.status === 200) {

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@rocket.chat/meteor': patch
 +---
++
 +Limits Omnichannel webhook maximum response size to 10mb.