Synapse Security Vulnerabilities and Issues — Synapse CVE List

Lucene search

MatrixSynapse

10 matches found

CVE•added 2020/11/24 3:15 a.m.•114 views

CVE-2020-26890

Matrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attack against the federation and common Matrix clients. If such a malformed event is accepted into the ...

7.5CVSS7.4AI score0.00955EPSS

CVE•added 2021/11/23 8:15 p.m.•98 views

CVE-2021-41281

Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory. No authentication is required for the affected endpoint. The...

7.5CVSS7.6AI score0.00549EPSS

CVE•added 2022/09/02 8:15 p.m.•90 views

CVE-2022-31152

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix specification specifies a list of event authorization rules which must be checked when determining if an event should be accepted into a room. In versions of Synapse up to and including versi...

7.5CVSS6.7AI score0.00693EPSS

CVE•added 2024/12/03 5:15 p.m.•72 views

CVE-2024-37302

Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead...

7.5CVSS7.6AI score0.00311EPSS

CVE•added 2019/05/09 6:29 p.m.•68 views

CVE-2019-11842

An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID.

7.5CVSS7.5AI score0.00535EPSS

CVE•added 2025/03/27 1:15 a.m.•65 views

CVE-2025-30355

Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workaroun...

7.5CVSS7AI score0.05781EPSS

CVE•added 2019/03/21 4:1 p.m.•59 views

CVE-2019-5885

Matrix Synapse before 0.34.0.1, when the macaroon_secret_key authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users.

7.5CVSS7.5AI score0.008EPSS

CVE•added 2018/05/02 4:29 p.m.•56 views

CVE-2018-10657

Matrix Synapse before 0.28.1 is prone to a denial of service flaw where malicious events injected with depth = 2^63 - 1 render rooms unusable, related to federation/federation_base.py and handlers/message.py, as exploited in the wild in April 2018.

7.5CVSS7.2AI score0.00402EPSS

CVE•added 2018/06/13 2:29 p.m.•45 views

CVE-2018-12291

The on_get_missing_events function in handlers/federation.py in Matrix Synapse before 0.31.1 has a security bug in the get_missing_events federation API where event visibility rules were not applied correctly.

7.5CVSS7.4AI score0.00211EPSS

Web

CVE•added 2018/06/14 9:29 p.m.•44 views

CVE-2018-12423

In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no m.room.power_levels event in force.

7.5CVSS7.4AI score0.00349EPSS