Allocation of Resources Without Limits or Throttling in Synapse - CVE-2024-37302
Published: December 3, 2024 / Updated: April 23, 2026
Vulnerability identifier: #VU127005
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2024-37302
CWE-ID: CWE-770
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Matrix.org
Affected software:
Synapse
Synapse
Detailed vulnerability description
The vulnerability allows a remote attacker to cause a denial of service.
The vulnerability exists due to allocation of resources without limits or throttling in remote media caching when handling requests for remote media downloads. A remote attacker can request large amounts of remote media to cause a denial of service.
The issue can fill disk space and may result in failed media uploads or downloads, or complete unavailability of the Synapse process depending on deployment.
How to mitigate CVE-2024-37302
Install security update from vendor's website.