CVE-2025-30355 — Improper Input Validation in Synapse

CWE-20 — Improper Input Validation7 documents6 sources

Severity

7.5HIGHNVD

CNA7.1VulnCheck7.1

EPSS

7.5%

top 8.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Element-hq Synapse Matrix Synapse

Timeline

PublishedMar 27

Description

Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages2 packages

▶NVDmatrix/synapse< 1.127.1

▶CVEListV5element-hq/synapse< 1.127.1

Patches

Patch: github.com ↗

🔴Vulnerability Details

GHSA

Synapse vulnerable to federation denial of service via malformed events↗2025-03-27

▶

OSV

CVE-2025-30355: Synapse is an open source Matrix homeserver implementation↗2025-03-27

▶

CVEList

Synapse vulnerable to federation denial of service via malformed events↗2025-03-27

▶

OSV

Synapse vulnerable to federation denial of service via malformed events↗2025-03-27

▶

VulnCheck

matrix synapse Improper Input Validation↗2025

▶

📋Vendor Advisories

Debian

CVE-2025-30355: matrix-synapse - Synapse is an open source Matrix homeserver implementation. A malicious server c...↗2025

▶