Element-Hq Synapse vulnerabilities

9 known vulnerabilities affecting element-hq/synapse.

Total CVEs
9
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
HIGH5MEDIUM4

Vulnerabilities

Page 1 of 1
CVE-2025-61672MEDIUMCVSS 5.3fixed in 1.138.3v= 1.139.02025-10-08
CVE-2025-61672 [MEDIUM] CWE-1287 CVE-2025-61672: Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Sy Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4,
cvelistv5nvd
CVE-2025-30355HIGHCVSS 7.5fixed in 1.127.12025-03-27
CVE-2025-30355 [HIGH] CWE-20 CVE-2025-30355: Synapse is an open source Matrix homeserver implementation. A malicious server can craft events whic Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available.
cvelistv5nvd
CVE-2024-53863HIGHCVSS 8.2fixed in 1.120.12024-12-03
CVE-2024-53863 [HIGH] CWE-434 CVE-2024-53863: Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynami Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surfa
cvelistv5nvd
CVE-2024-37302HIGHCVSS 7.5fixed in 1.1062024-12-03
CVE-2024-37302 [HIGH] CWE-770 CVE-2024-37302: Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media upl
cvelistv5nvd
CVE-2024-52815HIGHCVSS 8.7fixed in 1.120.12024-12-03
CVE-2024-52815 [HIGH] CWE-20 CVE-2024-52815: Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly valida Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores
cvelistv5nvd
CVE-2024-52805HIGHCVSS 8.2fixed in 1.120.12024-12-03
CVE-2024-52805 [HIGH] CWE-770 CVE-2024-52805: Synapse is an open-source Matrix homeserver. In Synapse before 1.120.1, multipart/form-data requests Synapse is an open-source Matrix homeserver. In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks. Synapse 1.120.1 resolves the issue by denying requests with unsupported m
cvelistv5nvd
CVE-2024-53867MEDIUMCVSS 4.3v>= 1.113.0rc1, < 1.120.12024-12-03
CVE-2024-53867 [MEDIUM] CWE-497 CVE-2024-53867: Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1. Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. This vulnerability is fixed in 1.120.1.
cvelistv5nvd
CVE-2024-37303MEDIUMCVSS 5.3fixed in 1.1062024-12-03
CVE-2024-37303 [MEDIUM] CWE-306 CVE-2024-37303: Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthe Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such content then also becomes available for download from the local homeserver in an unauthenticated way. The impli
cvelistv5nvd
CVE-2024-31208MEDIUMCVSS 6.5fixed in 1.105.12024-04-23
CVE-2024-31208 [MEDIUM] CWE-770 CVE-2024-31208: Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a r Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resultin
cvelistv5nvd