Main Vulnerability Database Vulnerabilities #VU106284

Input validation error in Synapse - CVE-2025-30355

Published: March 31, 2025

Vulnerability identifier: #VU106284

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2025-30355

CWE-ID: CWE-20

Exploitation vector: Remote access

Exploit availability: The vulnerability is being exploited in the wild

Vendor: Matrix.org

Affected software:
Synapse

Detailed vulnerability description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user can pass specially crafted events to the application and prevent it from federating with other servers.

Note, the vulnerability is being exploited in the wild.

How to mitigate CVE-2025-30355

Install updates from vendor's website.

Sources

https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389
https://github.com/element-hq/synapse/releases/tag/v1.127.1
https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6

Input validation error in Synapse - CVE-2025-30355

Detailed vulnerability description

How to mitigate CVE-2025-30355

Sources

Please verify you're human