Denial of service attack via push rule patterns in matrix-synapse

Impact

“Push rules” can specify conditions under which they will match, including event_match, which matches event content against a pattern including wildcards.

Certain patterns can cause very poor performance in the matching engine, leading to a denial-of-service when processing moderate length events.

Patches

The issue is patched by https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c.

Workarounds

A potential workaround might be to prevent users from making custom push rules, by blocking such requests at a reverse-proxy.

For more information

If you have any questions or comments about this advisory, email us at [email protected].