#VU106284 Input validation error in Synapse - CVE-2025-30355

Cybersecurity Help s.r.o.

Published: 2025-03-31

Vulnerability identifier: #VU106284

Vulnerability risk: High

CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2025-30355

CWE-ID: CWE-20

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Synapse
Server applications / Conferencing, Collaboration and VoIP solutions

Vendor: Matrix.org

Description

The vulnerability allows a remote user to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote user can pass specially crafted events to the application and prevent it from federating with other servers.

Note, the vulnerability is being exploited in the wild.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Synapse: 1.0.0 - 1.127.0

External links
https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389
https://github.com/element-hq/synapse/releases/tag/v1.127.1
https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Fedora 40 update for matrix-synapse

Fedora 41 update for matrix-synapse

Fedora 42 update for matrix-synapse

Remote denial of service in Matrix Synapse