From dad0dba81eb2ea1aea4e1efff46b9b29309711aa Mon Sep 17 00:00:00 2001
From: "khizar (RinX)" <109973520+Khizarshah01@users.noreply.github.com>
Date: Mon, 23 Feb 2026 00:34:15 +0530
Subject: [PATCH] fix: limit outgoing webhook response size to prevent memory
 exhaustion (#38760)

Co-authored-by: Kevin Aleman <11577696+KevLehman@users.noreply.github.com>
---
 .changeset/shiny-pears-admire.md                          | 5 +++++
 apps/meteor/app/integrations/server/lib/triggerHandler.ts | 1 +
 2 files changed, 6 insertions(+)
 create mode 100644 .changeset/shiny-pears-admire.md

diff --git a/.changeset/shiny-pears-admire.md b/.changeset/shiny-pears-admire.md
new file mode 100644
index 00000000000..0e8287d708f
--- /dev/null
+++ b/.changeset/shiny-pears-admire.md
@@ -0,0 +1,5 @@
+---
+'@rocket.chat/meteor': patch
+---
+
+Limits `Outgoing webhook` maximum response size to 10mb.
diff --git a/apps/meteor/app/integrations/server/lib/triggerHandler.ts b/apps/meteor/app/integrations/server/lib/triggerHandler.ts
index 192419d6c21..43f48269930 100644
--- a/apps/meteor/app/integrations/server/lib/triggerHandler.ts
+++ b/apps/meteor/app/integrations/server/lib/triggerHandler.ts
@@ -621,6 +621,7 @@ class RocketChatIntegrationHandler {
 				...(opts.data && { body: opts.data }),
 				// SECURITY: Integrations can only be configured by users with enough privileges. It's ok to disable this check here.
 				ignoreSsrfValidation: true,
+				size: 10 * 1024 * 1024,
 			},
 			settings.get('Allow_Invalid_SelfSigned_Certs'),
 		)