CVE-2025-61672Improper Validation of Specified Type of Input in Synapse

CWE-1287Improper Validation of Specified Type of InputCWE-1286Improper Validation of Syntactic Correctness of Input7 documents6 sources
Severity
5.3MEDIUMNVD
EPSS
0.0%
top 87.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Element-hq Synapse
Timeline
PublishedOct 8

Description

Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Affected Packages1 packages

CVEListV5element-hq/synapse< 1.138.3+1

🔴Vulnerability Details

4
CVEList
Synapse: Invalid device keys degrade federation functionality2025-10-08
OSV
CVE-2025-61672: Synapse is an open source Matrix homeserver implementation2025-10-08
GHSA
Synapse's invalid device keys degrade federation functionality2025-10-08
OSV
Synapse's invalid device keys degrade federation functionality2025-10-08

📋Vendor Advisories

2
Red Hat
matrix-synapse: Synapse: Lack of device key validation leads to federation degradation2025-10-08
Debian
CVE-2025-61672: matrix-synapse - Synapse is an open source Matrix homeserver implementation. Lack of validation f...2025
CVE-2025-61672 — Element-hq Synapse vulnerability | cvebase