CVE-2024-31208Allocation of Resources Without Limits or Throttling in Synapse

CWE-770Allocation of Resources Without Limits or Throttling7 documents6 sources
Severity
6.5MEDIUMNVD
EPSS
2.3%
top 15.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Element-hq SynapseMatrix SynapseFedoraproject Fedora
Timeline
PublishedApr 23
Latest updateApr 22

Description

Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. Server administrators should upgrade to 1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

NVDmatrix/synapse< 1.105.1
CVEListV5element-hq/synapse< 1.105.1

Also affects: Fedora 38, 39, 40

Patches

Patch: github.comPatch: github.com

🔴Vulnerability Details

4
CVEList
Synapse's V2 state resolution weakness allows DoS from remote room members2024-04-23
OSV
CVE-2024-31208: Synapse is an open-source Matrix homeserver2024-04-23
GHSA
Synapse V2 state resolution weakness allows Denial of Service (DoS)2024-04-23
OSV
Synapse V2 state resolution weakness allows Denial of Service (DoS)2024-04-23

📋Vendor Advisories

2
Ubuntu
Synapse vulnerabilities2025-04-22
Debian
CVE-2024-31208: matrix-synapse - Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious...2024
CVE-2024-31208 — Element-hq Synapse vulnerability | cvebase