Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:pypi/matrix-synapse@1.114.0rc3
Typepypi
Namespace
Namematrix-synapse
Version1.114.0rc3
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.152.1
Latest_non_vulnerable_version1.152.1
Affected_by_vulnerabilities
0
url VCID-361n-7ar1-fqgr
vulnerability_id VCID-361n-7ar1-fqgr
summary 
Synapse's invalid device keys degrade federation functionality
Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61672.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61672.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61672
reference_id
reference_type
scores
0
value 0.00046
scoring_system epss
scoring_elements 0.14558
published_at 2026-06-08T12:55:00Z
1
value 0.00046
scoring_system epss
scoring_elements 0.14676
published_at 2026-06-05T12:55:00Z
2
value 0.00046
scoring_system epss
scoring_elements 0.14682
published_at 2026-06-06T12:55:00Z
3
value 0.00046
scoring_system epss
scoring_elements 0.1464
published_at 2026-06-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61672
2
reference_url https://github.com/element-hq/synapse
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/element-hq/synapse
3
reference_url https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-15T16:10:58Z/
url https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1
4
reference_url https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-15T16:10:58Z/
url https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740
5
reference_url https://github.com/element-hq/synapse/pull/17097
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-15T16:10:58Z/
url https://github.com/element-hq/synapse/pull/17097
6
reference_url https://github.com/element-hq/synapse/releases/tag/v1.138.3
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-15T16:10:58Z/
url https://github.com/element-hq/synapse/releases/tag/v1.138.3
7
reference_url https://github.com/element-hq/synapse/releases/tag/v1.138.4
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/element-hq/synapse/releases/tag/v1.138.4
8
reference_url https://github.com/element-hq/synapse/releases/tag/v1.139.1
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-15T16:10:58Z/
url https://github.com/element-hq/synapse/releases/tag/v1.139.1
9
reference_url https://github.com/element-hq/synapse/releases/tag/v1.139.2
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/element-hq/synapse/releases/tag/v1.139.2
10
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117854
reference_id 1117854
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117854
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2402525
reference_id 2402525
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2402525
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61672
reference_id CVE-2025-61672
reference_type
scores
0
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61672
13
reference_url https://github.com/advisories/GHSA-fh66-fcv5-jjfr
reference_id GHSA-fh66-fcv5-jjfr
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-fh66-fcv5-jjfr
14
reference_url https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr
reference_id GHSA-fh66-fcv5-jjfr
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 5.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-15T16:10:58Z/
url https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr
fixed_packages
0
url pkg:pypi/matrix-synapse@1.138.3
purl pkg:pypi/matrix-synapse@1.138.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-44n9-z1mc-fydq
1
vulnerability VCID-57xv-u1be-mfez
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.138.3
1
url pkg:pypi/matrix-synapse@1.139.1
purl pkg:pypi/matrix-synapse@1.139.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-44n9-z1mc-fydq
1
vulnerability VCID-57xv-u1be-mfez
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.139.1
aliases CVE-2025-61672, GHSA-fh66-fcv5-jjfr
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-361n-7ar1-fqgr
1
url VCID-3gx5-a6ja-eyhc
vulnerability_id VCID-3gx5-a6ja-eyhc
summary 
Synapse allows unsupported content types to lead to memory exhaustion
In Synapse before 1.120.1, `multipart/form-data` requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-52805
reference_id
reference_type
scores
0
value 0.01089
scoring_system epss
scoring_elements 0.78282
published_at 2026-06-08T12:55:00Z
1
value 0.01089
scoring_system epss
scoring_elements 0.78293
published_at 2026-06-07T12:55:00Z
2
value 0.01089
scoring_system epss
scoring_elements 0.78304
published_at 2026-06-06T12:55:00Z
3
value 0.01089
scoring_system epss
scoring_elements 0.78296
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-52805
1
reference_url https://github.com/element-hq/synapse
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/element-hq/synapse
2
reference_url https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T19:04:05Z/
url https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518
3
reference_url https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T19:04:05Z/
url https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609
4
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995
reference_id 1088995
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-52805
reference_id CVE-2024-52805
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-52805
6
reference_url https://github.com/advisories/GHSA-rfq8-j7rh-8hf2
reference_id GHSA-rfq8-j7rh-8hf2
reference_type
scores
url https://github.com/advisories/GHSA-rfq8-j7rh-8hf2
7
reference_url https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2
reference_id GHSA-rfq8-j7rh-8hf2
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T19:04:05Z/
url https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2
fixed_packages
0
url pkg:pypi/matrix-synapse@1.120.1
purl pkg:pypi/matrix-synapse@1.120.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.120.1
aliases CVE-2024-52805, GHSA-rfq8-j7rh-8hf2
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3gx5-a6ja-eyhc
2
url VCID-44n9-z1mc-fydq
vulnerability_id VCID-44n9-z1mc-fydq
summary 
Synapse pagination Denial of Service
### Impact

In federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients.

Clients could therefore fail to display room history.

### Patches

Update to Synapse 1.152.1 or later.

### Workarounds

There are no known workarounds for this issue.

### Identifiers

- ELEMENTSEC-2025-1636

### For more information

If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:security@element.io).
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-45076
reference_id
reference_type
scores
0
value 0.00091
scoring_system epss
scoring_elements 0.25833
published_at 2026-06-05T12:55:00Z
1
value 0.00091
scoring_system epss
scoring_elements 0.25719
published_at 2026-06-08T12:55:00Z
2
value 0.00091
scoring_system epss
scoring_elements 0.25777
published_at 2026-06-07T12:55:00Z
3
value 0.00091
scoring_system epss
scoring_elements 0.25824
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-45076
1
reference_url https://github.com/element-hq/synapse
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/element-hq/synapse
2
reference_url https://github.com/element-hq/synapse/security/advisories/GHSA-6qf2-7x63-mm6v
reference_id
reference_type
scores
0
value 2.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:L
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value 5.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
3
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-06-02T14:51:22Z/
url https://github.com/element-hq/synapse/security/advisories/GHSA-6qf2-7x63-mm6v
3
reference_url https://github.com/advisories/GHSA-6qf2-7x63-mm6v
reference_id GHSA-6qf2-7x63-mm6v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6qf2-7x63-mm6v
fixed_packages
0
url pkg:pypi/matrix-synapse@1.152.1
purl pkg:pypi/matrix-synapse@1.152.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.152.1
aliases CVE-2026-45076, CVE-2026-45076,, GHSA-6qf2-7x63-mm6v, PYSEC-2026-194
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-44n9-z1mc-fydq
3
url VCID-57xv-u1be-mfez
vulnerability_id VCID-57xv-u1be-mfez
summary Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-45078
reference_id
reference_type
scores
0
value 0.00014
scoring_system epss
scoring_elements 0.02963
published_at 2026-06-05T12:55:00Z
1
value 0.00014
scoring_system epss
scoring_elements 0.02901
published_at 2026-06-08T12:55:00Z
2
value 0.00014
scoring_system epss
scoring_elements 0.02917
published_at 2026-06-07T12:55:00Z
3
value 0.00014
scoring_system epss
scoring_elements 0.02971
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-45078
1
reference_url https://github.com/element-hq/synapse
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/element-hq/synapse
2
reference_url https://github.com/element-hq/synapse/commit/3f58bc50dfba5768ee43ce48c5e74c25ba0b078a
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/element-hq/synapse/commit/3f58bc50dfba5768ee43ce48c5e74c25ba0b078a
3
reference_url https://github.com/element-hq/synapse/issues/19394
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/element-hq/synapse/issues/19394
4
reference_url https://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g
reference_id
reference_type
scores
0
value 5.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 6.8
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
3
value 7.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
4
value HIGH
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-05-29T15:31:35Z/
url https://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g
5
reference_url https://github.com/advisories/GHSA-8q93-326v-3m7g
reference_id GHSA-8q93-326v-3m7g
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8q93-326v-3m7g
fixed_packages
0
url pkg:pypi/matrix-synapse@1.152.1
purl pkg:pypi/matrix-synapse@1.152.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.152.1
aliases CVE-2026-45078, CVE-2026-45078,, GHSA-8q93-326v-3m7g, PYSEC-2026-191
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-57xv-u1be-mfez
4
url VCID-8vfd-w1xq-wuf9
vulnerability_id VCID-8vfd-w1xq-wuf9
summary 
Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders
In Synapse versions before 1.120.1, enabling the `dynamic_thumbnails` option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing.

This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem.

For a list of image formats, as well as decoding libraries and helper programs used, see [the Pillow documentation](https://pillow.readthedocs.io/en/stable/handbook/image-file-formats.html).
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-53863
reference_id
reference_type
scores
0
value 0.00962
scoring_system epss
scoring_elements 0.76863
published_at 2026-06-08T12:55:00Z
1
value 0.00962
scoring_system epss
scoring_elements 0.76876
published_at 2026-06-05T12:55:00Z
2
value 0.00962
scoring_system epss
scoring_elements 0.76873
published_at 2026-06-07T12:55:00Z
3
value 0.00962
scoring_system epss
scoring_elements 0.76884
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-53863
1
reference_url https://github.com/element-hq/synapse
reference_id
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/element-hq/synapse
2
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995
reference_id 1088995
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-53863
reference_id CVE-2024-53863
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-53863
4
reference_url https://github.com/advisories/GHSA-vp6v-whfm-rv3g
reference_id GHSA-vp6v-whfm-rv3g
reference_type
scores
url https://github.com/advisories/GHSA-vp6v-whfm-rv3g
5
reference_url https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g
reference_id GHSA-vp6v-whfm-rv3g
reference_type
scores
0
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
1
value 8.2
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T19:07:32Z/
url https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g
6
reference_url https://usn.ubuntu.com/7444-1/
reference_id USN-7444-1
reference_type
scores
url https://usn.ubuntu.com/7444-1/
fixed_packages
0
url pkg:pypi/matrix-synapse@1.120.1
purl pkg:pypi/matrix-synapse@1.120.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.120.1
aliases CVE-2024-53863, GHSA-vp6v-whfm-rv3g
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8vfd-w1xq-wuf9
5
url VCID-f81p-k1bf-x7fq
vulnerability_id VCID-f81p-k1bf-x7fq
summary 
Synapse Matrix has a partial room state leak via Sliding Sync
The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-53867
reference_id
reference_type
scores
0
value 0.00134
scoring_system epss
scoring_elements 0.32573
published_at 2026-06-05T12:55:00Z
1
value 0.00134
scoring_system epss
scoring_elements 0.32471
published_at 2026-06-08T12:55:00Z
2
value 0.00134
scoring_system epss
scoring_elements 0.32502
published_at 2026-06-07T12:55:00Z
3
value 0.00134
scoring_system epss
scoring_elements 0.32541
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-53867
1
reference_url https://github.com/element-hq/synapse
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/element-hq/synapse
2
reference_url https://github.com/matrix-org/matrix-spec-proposals/pull/4186
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-03T19:07:06Z/
url https://github.com/matrix-org/matrix-spec-proposals/pull/4186
3
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995
reference_id 1088995
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-53867
reference_id CVE-2024-53867
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-53867
5
reference_url https://github.com/advisories/GHSA-56w4-5538-8v8h
reference_id GHSA-56w4-5538-8v8h
reference_type
scores
url https://github.com/advisories/GHSA-56w4-5538-8v8h
6
reference_url https://github.com/element-hq/synapse/security/advisories/GHSA-56w4-5538-8v8h
reference_id GHSA-56w4-5538-8v8h
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-03T19:07:06Z/
url https://github.com/element-hq/synapse/security/advisories/GHSA-56w4-5538-8v8h
fixed_packages
0
url pkg:pypi/matrix-synapse@1.120.1
purl pkg:pypi/matrix-synapse@1.120.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.120.1
aliases CVE-2024-53867, GHSA-56w4-5538-8v8h
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f81p-k1bf-x7fq
6
url VCID-hnm3-rn4r-1qa4
vulnerability_id VCID-hnm3-rn4r-1qa4
summary 
Synapse vulnerable to federation denial of service via malformed events
A malicious server can craft events with a `depth` outside the integer range allowed by Canonical JSON. When such an event is received by Synapse version up to 1.127.0, it prevents it from federating with other servers. The vulnerability has been exploited in the wild.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-30355
reference_id
reference_type
scores
0
value 0.13201
scoring_system epss
scoring_elements 0.94278
published_at 2026-06-07T12:55:00Z
1
value 0.13201
scoring_system epss
scoring_elements 0.94277
published_at 2026-06-08T12:55:00Z
2
value 0.13201
scoring_system epss
scoring_elements 0.94275
published_at 2026-06-05T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-30355
1
reference_url https://github.com/element-hq/synapse
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/element-hq/synapse
2
reference_url https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-27T13:47:41Z/
url https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389
3
reference_url https://github.com/element-hq/synapse/releases/tag/v1.127.1
reference_id
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-27T13:47:41Z/
url https://github.com/element-hq/synapse/releases/tag/v1.127.1
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-30355
reference_id CVE-2025-30355
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-30355
5
reference_url https://github.com/advisories/GHSA-v56r-hwv5-mxg6
reference_id GHSA-v56r-hwv5-mxg6
reference_type
scores
url https://github.com/advisories/GHSA-v56r-hwv5-mxg6
6
reference_url https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6
reference_id GHSA-v56r-hwv5-mxg6
reference_type
scores
0
value 7.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-27T13:47:41Z/
url https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6
fixed_packages
0
url pkg:pypi/matrix-synapse@1.127.1
purl pkg:pypi/matrix-synapse@1.127.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-361n-7ar1-fqgr
1
vulnerability VCID-44n9-z1mc-fydq
2
vulnerability VCID-57xv-u1be-mfez
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.127.1
aliases CVE-2025-30355, GHSA-v56r-hwv5-mxg6
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hnm3-rn4r-1qa4
7
url VCID-mxt4-9769-pkd5
vulnerability_id VCID-mxt4-9769-pkd5
summary 
Synapse allows a a malformed invite to break the invitee's `/sync`
Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's `/sync` functionality.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-52815
reference_id
reference_type
scores
0
value 0.00353
scoring_system epss
scoring_elements 0.5801
published_at 2026-06-05T12:55:00Z
1
value 0.00353
scoring_system epss
scoring_elements 0.57993
published_at 2026-06-08T12:55:00Z
2
value 0.00353
scoring_system epss
scoring_elements 0.58008
published_at 2026-06-07T12:55:00Z
3
value 0.00353
scoring_system epss
scoring_elements 0.58018
published_at 2026-06-06T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-52815
1
reference_url https://github.com/element-hq/synapse
reference_id
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/element-hq/synapse
2
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995
reference_id 1088995
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-52815
reference_id CVE-2024-52815
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-52815
4
reference_url https://github.com/advisories/GHSA-f3r3-h2mq-hx2h
reference_id GHSA-f3r3-h2mq-hx2h
reference_type
scores
url https://github.com/advisories/GHSA-f3r3-h2mq-hx2h
5
reference_url https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h
reference_id GHSA-f3r3-h2mq-hx2h
reference_type
scores
0
value 8.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T19:05:32Z/
url https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h
fixed_packages
0
url pkg:pypi/matrix-synapse@1.120.1
purl pkg:pypi/matrix-synapse@1.120.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.120.1
aliases CVE-2024-52815, GHSA-f3r3-h2mq-hx2h
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mxt4-9769-pkd5
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.114.0rc3