PYSEC-2024-50

2024-04-2318:15:00

Google

osv.dev

synapse

matrix

homeserver

vulnerability

state resolution

exploit

cpu consumption

database

denial of service

federations

upgrade

workarounds

admin api

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

7.1 High

AI Score

Confidence

High

0.0004 Low

EPSS

Percentile

10.4%

JSON

Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. Server administrators should upgrade to 1.105.1 or later. Some workarounds are available. One can ban the malicious users or ACL block servers from the rooms and/or leave the room and purge the room using the admin API.

CPENameOperatorVersion
matrix-synapseeq1.19.0
matrix-synapseeq1.56.0
matrix-synapseeq1.105.0
matrix-synapseeq1.52.0rc1
matrix-synapseeq1.56.0rc1
matrix-synapseeq1.3.0rc1
matrix-synapseeq1.66.0rc1
matrix-synapseeq1.92.0rc1
matrix-synapseeq1.73.0rc2
matrix-synapseeq1.9.0.dev2

Name	Operator	Version
matrix-synapse	eq	1.19.0
matrix-synapse	eq	1.56.0
matrix-synapse	eq	1.105.0
matrix-synapse	eq	1.52.0rc1
matrix-synapse	eq	1.56.0rc1
matrix-synapse	eq	1.3.0rc1
matrix-synapse	eq	1.66.0rc1
matrix-synapse	eq	1.92.0rc1
matrix-synapse	eq	1.73.0rc2
matrix-synapse	eq	1.9.0.dev2