Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:pypi/matrix-synapse@1.102.0

Type pypi

Namespace

Name matrix-synapse

Version 1.102.0

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 1.138.3

Latest_non_vulnerable_version 1.152.1

Affected_by_vulnerabilities

url VCID-9r6h-dqus-mbag

vulnerability_id VCID-9r6h-dqus-mbag

summary

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-52815

reference_id

reference_type

scores

value	0.00353
scoring_system	epss
scoring_elements	0.57945
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-52815

reference_url

https://github.com/element-hq/synapse

reference_id

reference_type

scores

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/element-hq/synapse

reference_url

https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h

reference_id

reference_type

scores

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T19:05:32Z/

url

https://github.com/element-hq/synapse/security/advisories/GHSA-f3r3-h2mq-hx2h

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-52815

reference_id

reference_type

scores

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-52815

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995
reference_id	1088995
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995

reference_url	https://github.com/advisories/GHSA-f3r3-h2mq-hx2h
reference_id	GHSA-f3r3-h2mq-hx2h
reference_type
scores
url	https://github.com/advisories/GHSA-f3r3-h2mq-hx2h

fixed_packages

url	pkg:pypi/matrix-synapse@1.120.1
purl	pkg:pypi/matrix-synapse@1.120.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.120.1

aliases CVE-2024-52815, GHSA-f3r3-h2mq-hx2h

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9r6h-dqus-mbag

url VCID-fzu5-7rfv-qfgx

vulnerability_id VCID-fzu5-7rfv-qfgx

summary

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-53863

reference_id

reference_type

scores

value	0.00962
scoring_system	epss
scoring_elements	0.76804
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-53863

reference_url

https://github.com/element-hq/synapse

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/element-hq/synapse

reference_url

https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T19:07:32Z/

url

https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-53863

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-53863

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995
reference_id	1088995
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995

reference_url	https://github.com/advisories/GHSA-vp6v-whfm-rv3g
reference_id	GHSA-vp6v-whfm-rv3g
reference_type
scores
url	https://github.com/advisories/GHSA-vp6v-whfm-rv3g

reference_url	https://usn.ubuntu.com/7444-1/
reference_id	USN-7444-1
reference_type
scores
url	https://usn.ubuntu.com/7444-1/

fixed_packages

url	pkg:pypi/matrix-synapse@1.120.1
purl	pkg:pypi/matrix-synapse@1.120.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.120.1

aliases CVE-2024-53863, GHSA-vp6v-whfm-rv3g

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-fzu5-7rfv-qfgx

url VCID-g7rm-55dm-tybk

vulnerability_id VCID-g7rm-55dm-tybk

summary Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Synapse 1.106 introduces a new "leaky bucket" rate limit on remote media downloads to reduce the amount of data a user can request at a time. This does not fully address the issue, but does limit an unauthenticated user's ability to request large amounts of data to be cached.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-37302

reference_id

reference_type

scores

value	0.00568
scoring_system	epss
scoring_elements	0.68844
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-37302

reference_url

https://github.com/element-hq/synapse

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/element-hq/synapse

reference_url

https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T18:55:21Z/

url

https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-37302

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	8.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-37302

reference_url	https://github.com/advisories/GHSA-4mhg-xv73-xq2x
reference_id	GHSA-4mhg-xv73-xq2x
reference_type
scores
url	https://github.com/advisories/GHSA-4mhg-xv73-xq2x

fixed_packages

url	pkg:pypi/matrix-synapse@1.106
purl	pkg:pypi/matrix-synapse@1.106
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.106

url pkg:pypi/matrix-synapse@1.106.0

purl pkg:pypi/matrix-synapse@1.106.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9r6h-dqus-mbag

vulnerability	VCID-fzu5-7rfv-qfgx

vulnerability	VCID-k4kh-v8t1-wqfg

vulnerability	VCID-nmcr-v864-nkde

vulnerability	VCID-t1ed-3zjj-eude

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.106.0

aliases CVE-2024-37302, GHSA-4mhg-xv73-xq2x, PYSEC-2024-286

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-g7rm-55dm-tybk

url VCID-k4kh-v8t1-wqfg

vulnerability_id VCID-k4kh-v8t1-wqfg

summary

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-30355

reference_id

reference_type

scores

value	0.13201
scoring_system	epss
scoring_elements	0.94254
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-30355

reference_url

https://github.com/element-hq/synapse

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/element-hq/synapse

reference_url

https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-27T13:47:41Z/

url

https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389

reference_url

https://github.com/element-hq/synapse/releases/tag/v1.127.1

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-27T13:47:41Z/

url

https://github.com/element-hq/synapse/releases/tag/v1.127.1

reference_url

https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-03-27T13:47:41Z/

url

https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-30355

reference_id

reference_type

scores

value	7.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-30355

reference_url	https://github.com/advisories/GHSA-v56r-hwv5-mxg6
reference_id	GHSA-v56r-hwv5-mxg6
reference_type
scores
url	https://github.com/advisories/GHSA-v56r-hwv5-mxg6

fixed_packages

url pkg:pypi/matrix-synapse@1.127.1

purl pkg:pypi/matrix-synapse@1.127.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-nmcr-v864-nkde

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.127.1

aliases CVE-2025-30355, GHSA-v56r-hwv5-mxg6

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k4kh-v8t1-wqfg

url VCID-nmcr-v864-nkde

vulnerability_id VCID-nmcr-v864-nkde

summary

Synapse's invalid device keys degrade federation functionality
Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61672.json

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61672.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-61672

reference_id

reference_type

scores

value	0.00046
scoring_system	epss
scoring_elements	0.14639
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-61672

reference_url

https://github.com/element-hq/synapse

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/element-hq/synapse

reference_url

https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-15T16:10:58Z/

url

https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1

reference_url

https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-15T16:10:58Z/

url

https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740

reference_url

https://github.com/element-hq/synapse/pull/17097

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-15T16:10:58Z/

url

https://github.com/element-hq/synapse/pull/17097

reference_url

https://github.com/element-hq/synapse/releases/tag/v1.138.3

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-15T16:10:58Z/

url

https://github.com/element-hq/synapse/releases/tag/v1.138.3

reference_url

https://github.com/element-hq/synapse/releases/tag/v1.138.4

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/element-hq/synapse/releases/tag/v1.138.4

reference_url

https://github.com/element-hq/synapse/releases/tag/v1.139.1

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-15T16:10:58Z/

url

https://github.com/element-hq/synapse/releases/tag/v1.139.1

reference_url

https://github.com/element-hq/synapse/releases/tag/v1.139.2

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/element-hq/synapse/releases/tag/v1.139.2

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117854
reference_id	1117854
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117854

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2402525
reference_id	2402525
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2402525

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-61672

reference_id

CVE-2025-61672

reference_type

scores

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-61672

reference_url

https://github.com/advisories/GHSA-fh66-fcv5-jjfr

reference_id

GHSA-fh66-fcv5-jjfr

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-fh66-fcv5-jjfr

reference_url

https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr

reference_id

GHSA-fh66-fcv5-jjfr

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	5.3
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-15T16:10:58Z/

url

https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr

fixed_packages

url	pkg:pypi/matrix-synapse@1.138.3
purl	pkg:pypi/matrix-synapse@1.138.3
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.138.3

url	pkg:pypi/matrix-synapse@1.139.1
purl	pkg:pypi/matrix-synapse@1.139.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.139.1

aliases CVE-2025-61672, GHSA-fh66-fcv5-jjfr

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nmcr-v864-nkde

url VCID-nmup-uep4-b7hw

vulnerability_id VCID-nmup-uep4-b7hw

summary Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The implication is that unauthenticated remote adversaries can use this functionality to plant problematic content into the media repository. Synapse 1.106 introduces a partial mitigation in the form of new endpoints which require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, closing the attack vector.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-37303

reference_id

reference_type

scores

value	0.00342
scoring_system	epss
scoring_elements	0.57075
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-37303

reference_url

https://github.com/element-hq/synapse

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/element-hq/synapse

reference_url

https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T18:49:29Z/

url

https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr

reference_url

https://github.com/matrix-org/matrix-spec-proposals/pull/3916

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T18:49:29Z/

url

https://github.com/matrix-org/matrix-spec-proposals/pull/3916

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-37303

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-37303

reference_url	https://github.com/advisories/GHSA-gjgr-7834-rhxr
reference_id	GHSA-gjgr-7834-rhxr
reference_type
scores
url	https://github.com/advisories/GHSA-gjgr-7834-rhxr

fixed_packages

url	pkg:pypi/matrix-synapse@1.106
purl	pkg:pypi/matrix-synapse@1.106
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.106

url pkg:pypi/matrix-synapse@1.106.0

purl pkg:pypi/matrix-synapse@1.106.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9r6h-dqus-mbag

vulnerability	VCID-fzu5-7rfv-qfgx

vulnerability	VCID-k4kh-v8t1-wqfg

vulnerability	VCID-nmcr-v864-nkde

vulnerability	VCID-t1ed-3zjj-eude

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.106.0

aliases CVE-2024-37303, GHSA-gjgr-7834-rhxr, PYSEC-2024-287

risk_score 2.4

exploitability 0.5

weighted_severity 4.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nmup-uep4-b7hw

url VCID-ry9q-34p9-auh6

vulnerability_id VCID-ry9q-34p9-auh6

summary Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. Server administrators should upgrade to 1.105.1 or later. Some workarounds are available. One can ban the malicious users or ACL block servers from the rooms and/or leave the room and purge the room using the admin API.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-31208

reference_id

reference_type

scores

value	0.03089
scoring_system	epss
scoring_elements	0.87015
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-31208

reference_url

https://github.com/element-hq/synapse

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/element-hq/synapse

reference_url

https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T19:13:09Z/

url

https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a

reference_url

https://github.com/element-hq/synapse/releases/tag/v1.105.1

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T19:13:09Z/

url

https://github.com/element-hq/synapse/releases/tag/v1.105.1

reference_url

https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T19:13:09Z/

url

https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v

reference_url

https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2024-50.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2024-50.yaml

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069763
reference_id	1069763
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1069763

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-31208

reference_id

CVE-2024-31208

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-31208

reference_url

https://github.com/advisories/GHSA-3h7q-rfh9-xm4v

reference_id

GHSA-3h7q-rfh9-xm4v

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-3h7q-rfh9-xm4v

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB/

reference_id

R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T19:13:09Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K/

reference_id

RR53FNHV446CB37TP45GZ6F6HZLZCK3K

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T19:13:09Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K/

reference_url	https://usn.ubuntu.com/7444-1/
reference_id	USN-7444-1
reference_type
scores
url	https://usn.ubuntu.com/7444-1/

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET/

reference_id

VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-04-23T19:13:09Z/

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET/

fixed_packages

url pkg:pypi/matrix-synapse@1.105.1

purl pkg:pypi/matrix-synapse@1.105.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-9r6h-dqus-mbag

vulnerability	VCID-fzu5-7rfv-qfgx

vulnerability	VCID-g7rm-55dm-tybk

vulnerability	VCID-k4kh-v8t1-wqfg

vulnerability	VCID-nmcr-v864-nkde

vulnerability	VCID-nmup-uep4-b7hw

vulnerability	VCID-t1ed-3zjj-eude

resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.105.1

aliases CVE-2024-31208, GHSA-3h7q-rfh9-xm4v, PYSEC-2024-50

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ry9q-34p9-auh6

url VCID-t1ed-3zjj-eude

vulnerability_id VCID-t1ed-3zjj-eude

summary

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-52805

reference_id

reference_type

scores

value	0.01089
scoring_system	epss
scoring_elements	0.78231
published_at	2026-05-30T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-52805

reference_url

https://github.com/element-hq/synapse

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/element-hq/synapse

reference_url

https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T19:04:05Z/

url

https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2

reference_url

https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T19:04:05Z/

url

https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518

reference_url

https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-12-03T19:04:05Z/

url

https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-52805

reference_id

reference_type

scores

value	8.2
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-52805

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995
reference_id	1088995
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1088995

reference_url	https://github.com/advisories/GHSA-rfq8-j7rh-8hf2
reference_id	GHSA-rfq8-j7rh-8hf2
reference_type
scores
url	https://github.com/advisories/GHSA-rfq8-j7rh-8hf2

fixed_packages

url	pkg:pypi/matrix-synapse@1.120.1
purl	pkg:pypi/matrix-synapse@1.120.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.120.1

aliases CVE-2024-52805, GHSA-rfq8-j7rh-8hf2

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-t1ed-3zjj-eude

Fixing_vulnerabilities

Risk_score 3.4

Resource_url http://public2.vulnerablecode.io/packages/pkg:pypi/matrix-synapse@1.102.0

Package Instance