CVE-2022-31052

CVE-2022-31052 affects Synapse (Matrix homeserver). In versions before 1.61.1, URL previews for some web pages can cause unbounded recursion, exhausting stack space and potentially crashing the Synapse process. Remote users can exploit via URL previews that clients auto-request, but the URL previ...

CVE-2021-21273

Synapse (matrix-synapse, Python/pypi) contains a vulnerability in versions before 1.25.0 where requests to user-provided domains were not restricted to external IPs when computing the key validity for third-party invite events and push notifications. This could allow requests to internal infrastr...

CVE-2025-30355

CVE-2025-30355 affects the Synapse Matrix homeserver. A malicious server can craft events that cause Synapse up to v1.127.0 to fail federating with other servers. The root cause is an input validation issue in how events are processed (notably with a depth value outside the allowed range in Canon...

CVE-2023-32682

CVE-2023-32682 affects Synapse (Matrix homeserver, Python/Twisted). The vulnerability allows a deactivated user to log in under specific configurations: either when JSON Web Tokens are enabled (jwt_config.enabled) or when a local password database is enabled (password_config.enabled and password_...

CVE-2023-32683

Synapse (Python, Twisted) contains a vulnerability CVE-2023-32683 where a discovered oEmbed or image URL can bypass the url_preview_url_blacklist, potentially enabling server-side request forgery or bypassing network policies. The impact is constrained to IPs allowed by url_preview_ip_range_black...

CVE-2020-26890

Matrix Synapse prior to 1.20.0 allowed non-standard NaN, Infinity, and -Infinity values in m.room.member event fields, enabling remote DoS against federation and Matrix clients; impact can persist across replicated servers and requires manual redaction. The connected advisories note upgrading to ...

CVE-2021-39163

CVE-2021-39163 affects Matrix Synapse (Matrix.org) up to version 1.41.0, where unauthorised users could learn a room’s name, avatar, topic, and member count by knowing the room ID. Impact is limited to homeservers that have enable_group_creation set to true; administrators can already access this...

CVE-2021-39164

CVE-2021-39164 affects Matrix Synapse (Matrix.org) up to version 1.41.0. It allows unauthenticated users to enumerate a room’s membership (list of members with display names) if the user knows the room ID, but only for rooms with shared history visibility and only when the user’s account is on a ...

CVE-2021-41281

CVE-2021-41281 affects Synapse (Matrix homeserver) versions before 1.47.1 with the media repository enabled. A path traversal vulnerability lets an attacker cause a remote file to be downloaded into an arbitrary directory without authentication; the impact is mitigated by the last two path compon...

CVE-2023-41335

CVE-2023-41335 affects the Synapse Matrix homeserver. When users update passwords, the new credentials may be briefly held in the server’s database, potentially ending up in backups longer than expected. The issue does not grant new capabilities but violates expectations around password storage. ...

CVE-2021-21332

CVE-2021-21332 describes an XSS vulnerability in the password reset endpoint of Synapse (Matrix reference homeserver, Python). Prior to version 1.27.0, an attacker could execute script via the password_reset flow, potentially access cookies and browser data, and leverage CSRF risks on the same do...

CVE-2020-26891

CVE-2020-26891 affects Matrix Synapse prior to version 1.21.0. The vulnerability is an XSS flaw in AuthRestServlet caused by unsafe interpolation of the session GET parameter, which could allow an attacker to craft a malicious URL that triggers script execution on the Synapse-hosted domain via en...

CVE-2021-21333

CVE-2021-21333 affects Synapse (matrix-synapse) before version 1.27.0. The notification emails for missed messages and for expiring accounts are subject to HTML injection, enabling an attacker to forge email content in the missed-messages notification. The account-expiry feature is not enabled by...

CVE-2021-29471

The CVE-2021-29471 issue affects the Matrix Synapse Python package (matrix-synapse) prior to version 1.33.2. It concerns Push rules with event_match patterns that can cause very poor performance in the rule-matching engine, potentially enabling a denial-of-service when processing moderate-length ...

CVE-2021-21394

CVE-2021-21394 affects the Matrix Synapse reference homeserver (Python, matrix-synapse) prior to version 1.28.0. The issue is invalid input validation on endpoints used to confirm third-party identifiers, which could cause excessive disk space and memory usage leading to resource exhaustion. The ...

CVE-2023-42453

CVE-2023-42453 affects Synapse (Matrix.org) — a Python/Twisted Matrix homeserver. The vulnerability allows forging read receipts for arbitrary events when the attacker knows the room ID and event ID, without needing to view the events. The consequence is clients may display the event as read by t...

CVE-2021-21274

CVE-2021-21274 affects Synapse (matrix-synapse) prior to version 1.25.0. A malicious homeserver could abuse .well-known redirection to a large file, causing denial of service by consuming significant resources on federated requests from untrusted servers. The issue is resolved in Synapse 1.25.0. ...

CVE-2024-31208

CVE-2024-31208 affects Synapse (Matrix homeserver) before 1.105.1. A remote matrix user sharing a room with such servers can dispatch crafted events to exploit the V2 state resolution algorithm, causing high CPU usage and database bloat leading to a denial of service. Impact is limited to servers...

CVE-2022-31152

CVE-2022-31152 affects the Synapse Matrix homeserver. Up to version 1.61.0, some event authorization rules are not correctly applied, allowing crafted events to be accepted by Synapse but not by a spec-conformant server. This can cause divergence in room state between federation-enabled servers. ...

CVE-2020-26257

CVE-2020-26257 affects Matrix Synapse, the Matrix homeserver. A malicious or poorly-implemented homeserver can inject malformed events by specifying a different room_id in the path of /send_join, /send_leave, /invite, or /exchange_third_party_invite, leading to a denial of service where future fe...

CVE-2021-21393

Summary: CVE-2021-21393 affects Synapse (matrix-synapse) prior to version 1.28.0, where missing input validation on endpoints that confirm third-party identifiers could allow excessive disk space and memory use, causing resource exhaustion. The issue is not part of the Matrix specification; maxim...

CVE-2021-21392

Synapse (matrix-synapse) prior to version 1.28.0 is affected by a vulnerability where requests to user-provided domains could escape external IP restrictions on dual-stack networks due to transitional IPv6 addresses. This may allow outbound requests to internal infrastructure during federation, i...

CVE-2019-18835

CVE-2019-18835 affects Matrix Synapse prior to 1.5.0. The root cause is improper signature verification on federation APIs; events sent over /send_join, /send_leave, and /invite may not be correctly signed or may not originate from the expected servers. This can allow spoofing or impersonation of...

CVE-2022-39374

Synapse (Matrix.org) vulnerable to CVE-2022-39374: when a malicious homeserver shares a room with a vulnerable Synapse, it can trick Synapse into accepting previously rejected events, causing subsequent messages and state changes from that server in the room to be rejected. This issue has been pa...

CVE-2024-37302

Synapse (Matrix homeserver) versions before 1.106 are vulnerable to a disk-fill DoS where an unauthenticated attacker can cause extensive remote-media downloads and caching due to inadequate default rate limiting. Synapse 1.106 adds a leaky-bucket rate limit on remote media downloads to help miti...

CVE-2022-41952

CVE-2022-41952 affects Matrix Synapse up to 1.52.x with URL previews enabled. The issue arises when previewing media stream URLs, as connections are not properly bounded by time or data, potentially causing long-lived connections to streaming servers (e.g., Icecast) and excessive traffic if expos...

CVE-2018-16515

Matrix Synapse prior to 0.33.3.1 is vulnerable to remote spoofing of events due to improper transaction and event signature validation. The issue affects Matrix Synapse kernels where an attacker could spoof events and possibly trigger unspecified impacts. Remediation is to upgrade to version 0.33...

CVE-2019-11842

Affected products: Matrix Sydent < 1.0.3 and Matrix Synapse

CVE-2024-37303

CVE-2024-37303 concerns Synapse before version 1.106, where unauthenticated remote participants could trigger download and caching of remote media into the local media repository, making such content downloadable again from the local server unauthenticated. The underlying issue is an attack surfa...

CVE-2022-39335

CVE-2022-39335 affects Synapse (Matrix homeserver). The issue: when a home server answers a query for authorization events via the Federation API, it does not sufficiently verify that the requesting server should access those events. This could enable access to authorization events in a room by u...

CVE-2024-53863

CVE-2024-53863 affects Synapse prior to 1.120.1. Enabling dynamic_thumbnails or handling a crafted request could trigger decoding/thumbnail generation of uncommon image formats, potentially invoking external decoders (e.g., Ghostscript) and expanding the attack surface. The vulnerability is mitig...

CVE-2019-5885

CVE-2019-5885 affects Matrix Synapse prior to 0.34.0.1. When the macaroon_secret_key parameter is not set, a predictable value is used to derive a secret key (and other secrets), which could allow remote attackers to impersonate users. The issue is documented across multiple sources (including a ...

CVE-2024-52805

CVE-2024-52805 affects Synapse before 1.120.1, where multipart/form-data requests can transiently increase memory usage during processing, potentially enabling amplification of denial-of-service attacks. The issue is addressed in Synapse 1.120.1 by denying requests with unsupported multipart/form...

CVE-2023-32323

CVE-2023-32323 affects the Synapse Matrix homeserver. The issue stems from an unlimited invite_room_state size in versions up to 1.73, enabling a malicious user with state-event permissions to disrupt outbound federation. A fix was introduced in 1.74, which refuses oversized invite_room_state fie...

CVE-2018-10657

Matrix Synapse before 0.28.1 is vulnerable to a denial-of-service (DoS) flaw triggered by specially crafted events with depth = 2^63 − 1, rendering rooms unusable. The issue is tied to federation/federation_base.py and handlers/message.py. Exploitation was observed in the wild in April 2018. Reme...

CVE-2023-43796

The CVE-2023-43796 vulnerability affects Synapse (Matrix homeserver). Before versions 1.95.1 and 1.96.0rc1, cached device information of remote users could be queried, enabling enumeration of users known to a homeserver. The issue is mitigated by upgrading to Synapse 1.95.1 or 1.96.0rc1. As a wor...

CVE-2023-45129

CVE-2023-45129 affects Synapse (Matrix homeserver). Before version 1.94.0, a malicious server ACL event can cause a (persistent) denial of service, impacting performance and reliability. Closed federation deployments are not affected. Mitigation: upgrade to Synapse 1.94.0 or later. As a workaroun...

CVE-2024-52815

CVE-2024-52815 affects the Synapse project (open-source Matrix homeserver). Versions before 1.120.1 fail to properly validate invites received over federation, allowing a malicious server to send a specially crafted invite that disrupts the invited user’s /sync functionality. The issue is mitigat...

CVE-2018-12291

Summary: Matrix Synapse before 0.31.1 has a bug in on_get_missing_events ( federation.py ) where event visibility rules were not applied correctly in get_missing_events, potentially exposing incorrect events. Impact: as described in multiple advisories; CVE-2018-12291. Remediation: upgrade to Syn...

CVE-2018-12423

CVE-2018-12423 affects Synapse prior to 0.31.2. The vulnerability allows unauthorized users to hijack rooms when there is no m.room.power_levels event in force. This is described consistently across multiple sources in the connected documents. Reported impact is room hijacking due to improper han...