GHSA-V56R-HWV5-MXG6

Vulnerability from github – Published: 2025-03-27 18:02 – Updated: 2025-10-24 19:32
VLAI?
Summary
Synapse vulnerable to federation denial of service via malformed events
Details

Impact

A malicious server can craft events with a depth outside the integer range allowed by Canonical JSON. When such an event is received by Synapse version up to 1.127.0, it prevents it from federating with other servers. The vulnerability has been exploited in the wild.

Patches

Fixed in Synapse v1.127.1.

Workarounds

Closed federation environments of trusted servers or non-federating installations are not affected.

For more information

If you have any questions or comments about this advisory, please email us at security at element.io.

Severity ?
7.1 (High)
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "matrix-synapse"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.127.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-30355"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-27T18:02:14Z",
    "nvd_published_at": "2025-03-27T01:15:12Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nA malicious server can craft events with a `depth` outside the integer range allowed by Canonical JSON. When such an event is received by Synapse version up to 1.127.0, it prevents it from federating with other servers. The vulnerability has been exploited in the wild.\n\n### Patches\nFixed in Synapse v1.127.1.\n\n### Workarounds\nClosed federation environments of trusted servers or non-federating installations are not affected.\n\n### For more information\n\nIf you have any questions or comments about this advisory, please email us at [security at element.io](mailto:security@element.io).",
  "id": "GHSA-v56r-hwv5-mxg6",
  "modified": "2025-10-24T19:32:06Z",
  "published": "2025-03-27T18:02:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30355"
    },
    {
      "type": "WEB",
      "url": "https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/element-hq/synapse"
    },
    {
      "type": "WEB",
      "url": "https://github.com/element-hq/synapse/releases/tag/v1.127.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Synapse vulnerable to federation denial of service via malformed events"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.