#VU127005 Allocation of Resources Without Limits or Throttling in Synapse - CVE-2024-37302
Published: December 3, 2024 / Updated: April 23, 2026
Vulnerability identifier: #VU127005
Vulnerability risk: Medium
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-37302
CWE-ID: CWE-770
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Synapse
Synapse
Software vendor:
Matrix.org
Matrix.org
Description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in remote media caching when handling requests for remote media downloads. A remote attacker can request large amounts of remote media to cause a denial of service.
The issue can fill disk space and may result in failed media uploads or downloads, or complete unavailability of the Synapse process depending on deployment.
Remediation
Install security update from vendor's website.