CVE-2024-53863Unrestricted File Upload in Synapse

CWE-434Unrestricted File Upload7 documents6 sources
Severity
8.2HIGHNVD
EPSS
0.7%
top 27.75%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Element-hq SynapseMatrix Synapse
Timeline
PublishedDec 3
Latest updateApr 22

Description

Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the ope

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Affected Packages2 packages

NVDmatrix/synapse< 1.120.1
CVEListV5element-hq/synapse< 1.120.1

🔴Vulnerability Details

4
CVEList
Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders2024-12-03
OSV
Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders2024-12-03
OSV
CVE-2024-53863: Synapse is an open-source Matrix homeserver2024-12-03
GHSA
Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders2024-12-03

📋Vendor Advisories

2
Ubuntu
Synapse vulnerabilities2025-04-22
Debian
CVE-2024-53863: matrix-synapse - Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1,...2024
CVE-2024-53863 — Unrestricted File Upload in Synapse | cvebase