Search for packages
| purl | pkg:pypi/matrix-synapse@1.105.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-361n-7ar1-fqgr
Aliases: CVE-2025-61672 GHSA-fh66-fcv5-jjfr |
Synapse's invalid device keys degrade federation functionality Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. |
Affected by 2 other vulnerabilities. Affected by 2 other vulnerabilities. |
|
VCID-3gx5-a6ja-eyhc
Aliases: CVE-2024-52805 GHSA-rfq8-j7rh-8hf2 |
Synapse allows unsupported content types to lead to memory exhaustion In Synapse before 1.120.1, `multipart/form-data` requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks. |
Affected by 0 other vulnerabilities. |
|
VCID-44n9-z1mc-fydq
Aliases: CVE-2026-45076 CVE-2026-45076, GHSA-6qf2-7x63-mm6v PYSEC-2026-194 |
Synapse pagination Denial of Service ### Impact In federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients. Clients could therefore fail to display room history. ### Patches Update to Synapse 1.152.1 or later. ### Workarounds There are no known workarounds for this issue. ### Identifiers - ELEMENTSEC-2025-1636 ### For more information If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:security@element.io). |
Affected by 0 other vulnerabilities. |
|
VCID-57xv-u1be-mfez
Aliases: CVE-2026-45078 CVE-2026-45078, GHSA-8q93-326v-3m7g PYSEC-2026-191 |
Synapse is an open source Matrix homeserver implementation. Prior to 1.152.1, local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service. This vulnerability is fixed in 1.152.1. |
Affected by 0 other vulnerabilities. |
|
VCID-8vfd-w1xq-wuf9
Aliases: CVE-2024-53863 GHSA-vp6v-whfm-rv3g |
Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders In Synapse versions before 1.120.1, enabling the `dynamic_thumbnails` option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. For a list of image formats, as well as decoding libraries and helper programs used, see [the Pillow documentation](https://pillow.readthedocs.io/en/stable/handbook/image-file-formats.html). |
Affected by 0 other vulnerabilities. |
|
VCID-9t8r-dp58-xydr
Aliases: CVE-2024-31208 GHSA-3h7q-rfh9-xm4v PYSEC-2024-50 |
Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. Server administrators should upgrade to 1.105.1 or later. Some workarounds are available. One can ban the malicious users or ACL block servers from the rooms and/or leave the room and purge the room using the admin API. |
Affected by 9 other vulnerabilities. |
|
VCID-ewxj-3jt9-p7af
Aliases: CVE-2024-37303 GHSA-gjgr-7834-rhxr PYSEC-2024-287 |
Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector. |
Affected by 0 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-hnm3-rn4r-1qa4
Aliases: CVE-2025-30355 GHSA-v56r-hwv5-mxg6 |
Synapse vulnerable to federation denial of service via malformed events A malicious server can craft events with a `depth` outside the integer range allowed by Canonical JSON. When such an event is received by Synapse version up to 1.127.0, it prevents it from federating with other servers. The vulnerability has been exploited in the wild. |
Affected by 3 other vulnerabilities. |
|
VCID-mxt4-9769-pkd5
Aliases: CVE-2024-52815 GHSA-f3r3-h2mq-hx2h |
Synapse allows a a malformed invite to break the invitee's `/sync` Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's `/sync` functionality. |
Affected by 0 other vulnerabilities. |
|
VCID-z4xn-smp8-tfcj
Aliases: CVE-2024-37302 GHSA-4mhg-xv73-xq2x PYSEC-2024-286 |
Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Synapse 1.106 introduces a new "leaky bucket" rate limit on remote media downloads to reduce the amount of data a user can request at a time. This does not fully address the issue, but does limit an unauthenticated user's ability to request large amounts of data to be cached. |
Affected by 0 other vulnerabilities. Affected by 7 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||