Main Vulnerability Database Vulnerabilities #VU127006

Incorrect calculation in Synapse - CVE-2024-31208

Published: April 23, 2024 / Updated: April 23, 2026

Vulnerability identifier: #VU127006

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-31208

CWE-ID: CWE-682

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Synapse

Software vendor:
Matrix.org

Description

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to improper calculation of the auth chain cover index in auth chain indexing when processing specially crafted events from a remote room member. A remote user can send specially crafted events to cause a denial of service.

Exploitation can lead to disk fill and high CPU usage. Servers in private federations, or those that do not federate, are not affected.

Remediation

Install security update from vendor's website.

External links

https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v

Incorrect calculation in Synapse - CVE-2024-31208

Description

Remediation

External links

Please verify you're human