matrix-synapse

PyPI41 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting matrix-synapsepage 1 of 1

CVE-2018-10657HIGHCVSS 7.5✓ Fixed in 0.28.1
2018-05-02
Matrix Synapse before 0.28.1 is prone to a denial of service flaw where malicious events injected with depth = 2^63 - 1 render rooms unusable, related to federation/federation_base.py and handlers/message.py, as exploited in the wild in Ap…
CVE-2018-12291HIGHCVSS 7.5✓ Fixed in 0.31.1
2018-06-13
The on_get_missing_events function in handlers/federation.py in Matrix Synapse before 0.31.1 has a security bug in the get_missing_events federation API where event visibility rules were not applied correctly.
CVE-2018-12423HIGHCVSS 7.5✓ Fixed in 0.31.2
2018-06-14
In Synapse before 0.31.2, unauthorised users can hijack rooms when there is no m.room.power_levels event in force.
CVE-2018-16515HIGHCVSS 8.8✓ Fixed in 0.33.2.1
2018-09-18
Matrix Synapse before 0.33.3.1 allows remote attackers to spoof events and possibly have unspecified other impacts by leveraging improper transaction and event signature validation.
CVE-2019-11842HIGHCVSS 7.5EG 7.5✓ Fixed in 0.99.3.1
2019-05-09
vulnerable: 0.33.5 ... 0.99.3rc1 (28 versions)
An issue was discovered in Matrix Sydent before 1.0.3 and Synapse before 0.99.3.1. Random number generation is mishandled, which makes it easier for attackers to predict a Sydent authentication token or a Synapse random ID.
CVE-2019-18835CRITICALCVSS 9.8EG 9.8✓ Fixed in 1.5.0
2019-11-08
vulnerable: 0.33.5 ... 1.5.0rc2 (57 versions)
Matrix Synapse before 1.5.0 mishandles signature checking on some federation APIs. Events sent over /send_join, /send_leave, and /invite may not be correctly signed, or may not come from the expected servers.
CVE-2019-5885HIGHCVSS 7.5EG 7.5✓ Fixed in 0.34.0.1
2019-03-21
vulnerable: 0.33.5 ... 0.34.0rc2 (13 versions)
Matrix Synapse before 0.34.0.1, when the macaroon_secret_key authentication parameter is not set, uses a predictable value to derive a secret key and other secrets which could allow remote attackers to impersonate users.
CVE-2020-26257MEDIUMCVSS 6.5EG 6.5✓ Fixed in 1.23.1
2020-12-09
vulnerable: 0.33.5 ... 1.9.1 (138 versions)
Matrix is an ecosystem for open federated Instant Messaging and VoIP. Synapse is a reference "homeserver" implementation of Matrix. A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a differ…
CVE-2020-26890HIGHCVSS 7.5EG 7.5✓ Fixed in 1.20.0
2020-11-24
vulnerable: 0.33.5 ... 1.9.1 (124 versions)
Matrix Synapse before 1.20.0 erroneously permits non-standard NaN, Infinity, and -Infinity JSON values in fields of m.room.member events, allowing remote attackers to execute a denial of service attack against the federation and common Mat…
CVE-2020-26891MEDIUMCVSS 6.1EG 6.1✓ Fixed in 1.21.0
2020-10-19
vulnerable: 0.33.5 ... 1.9.1 (129 versions)
AuthRestServlet in Matrix Synapse before 1.21.0 is vulnerable to XSS due to unsafe interpolation of the session GET parameter. This allows a remote attacker to execute an XSS attack on the domain Synapse is hosted on, by supplying the vict…
CVE-2021-21273LOWCVSS 3.1EG 3.1✓ Fixed in 1.25.0
2021-02-26
vulnerable: 0.33.5 ... 1.9.1 (143 versions)
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, requests to user provided domains were not re…
CVE-2021-21274MEDIUMCVSS 4.3EG 4.3✓ Fixed in 1.25.0
2021-02-26
vulnerable: 0.99.0 ... 1.9.1 (124 versions)
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect request…
CVE-2021-21332MEDIUMCVSS 6.9EG 6.9✓ Fixed in 1.27.0
2021-03-26
vulnerable: 0.33.5 ... 1.9.1 (149 versions)
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the password reset endpoint served via Synaps…
CVE-2021-21333MEDIUMCVSS 6.1EG 6.1✓ Fixed in 1.27.0
2021-03-26
vulnerable: 0.33.5 ... 1.9.1 (149 versions)
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.27.0, the notification emails sent for notification…
CVE-2021-21392MEDIUMCVSS 6.3EG 6.3✓ Fixed in 1.28.0
2021-04-12
vulnerable: 0.33.5 ... 1.28.0rc1 (151 versions)
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 requests to user provided domains were not res…
CVE-2021-21393MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.28.0
2021-04-12
vulnerable: 0.33.5 ... 1.28.0rc1 (151 versions)
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some pa…
CVE-2021-21394MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.28.0
2021-04-12
vulnerable: 0.33.5 ... 1.28.0rc1 (151 versions)
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.28.0 Synapse is missing input validation of some pa…
CVE-2021-29471LOWCVSS 3.7EG 3.7✓ Fixed in 1.33.2
2021-05-11
vulnerable: 0.33.5 ... 1.9.1 (167 versions)
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.33.2 "Push rules" can specify conditions under whic…
CVE-2021-39163LOWCVSS 3.1EG 3.1✓ Fixed in 1.41.1
2021-08-31
vulnerable: 0.33.5 ... 1.9.1 (197 versions)
Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the name, avatar, topic and number of members of a room if they know the ID of the room. This vulner…
CVE-2021-39164LOWCVSS 3.1EG 3.1✓ Fixed in 1.41.1
2021-08-31
vulnerable: 0.33.5 ... 1.9.1 (197 versions)
Matrix is an ecosystem for open federated Instant Messaging and Voice over IP. In versions 1.41.0 and prior, unauthorised users can access the membership (list of members, with their display names) of a room if they know the ID of the room…
CVE-2021-41281HIGHCVSS 7.5EG 7.5✓ Fixed in 1.47.1
2021-11-23
vulnerable: 0.33.5 ... 1.9.1 (218 versions)
Synapse is a package for Matrix homeservers written in Python 3/Twisted. Prior to version 1.47.1, Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory. …
CVE-2022-31052MEDIUMCVSS 6.5EG 6.5✓ Fixed in 1.61.1
2022-06-28
vulnerable: 0.33.5 ... 1.9.1 (259 versions)
Synapse is an open source home server implementation for the Matrix chat network. In versions prior to 1.61.1 URL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion. This is …
CVE-2022-31152MEDIUMCVSS 6.4EG 6.4✓ Fixed in 1.62.0
2022-09-02
vulnerable: 0.33.5 ... 1.9.1 (263 versions)
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix specification specifies a list of [event authorization rules](https://spec.matrix.org/v1.2/rooms/v9/#authorization-rules) which mus…
CVE-2022-39335MEDIUMCVSS 5.0EG 5.0✓ Fixed in 1.69.0
2023-05-26
vulnerable: 0.33.5 ... 1.9.1 (284 versions)
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. The Matrix Federation API allows remote homeservers to request the authorization events in a room. This is necessary so that a homeserver rece…
CVE-2022-39374MEDIUMCVSS 6.5EG 6.5✓ Fixed in 1.68.0
2023-05-26
vulnerable: 1.62.0 ... 1.68.0rc2 (17 versions)
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. If Synapse and a malicious homeserver are both joined to the same room, the malicious homeserver can trick Synapse into accepting previously r…
CVE-2022-41952MEDIUMCVSS 6.5EG 6.5✓ Fixed in 1.53.0
2022-11-22
vulnerable: 0.33.5 ... 1.9.1 (235 versions)
Synapse before 1.52.0 with URL preview functionality enabled will attempt to generate URL previews for media stream URLs without properly limiting connection time. Connections will only be terminated after `max_spider_size` (default: 10M) …
CVE-2023-32323MEDIUMCVSS 5.0EG 5.0✓ Fixed in 1.74.0
2023-05-26
vulnerable: 0.33.5 ... 1.9.1 (297 versions)
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitra…
CVE-2023-32682MEDIUMCVSS 5.4EG 5.4✓ Fixed in 1.85.0
2023-06-06
vulnerable: 0.33.5 ... 1.9.1 (327 versions)
Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. In affected versions it may be possible for a deactivated user to login when using uncommon configurations. This only applies if any of the following are…
CVE-2023-32683LOWCVSS 3.5EG 3.5✓ Fixed in 1.85.0
2023-06-06
vulnerable: 0.33.5 ... 1.9.1 (327 versions)
Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the `url_preview_url_blacklist` setting potentially allowing server side request forgery or bypassing network…
CVE-2023-41335LOWCVSS 3.7EG 3.7✓ Fixed in 1.93.0
2023-09-27
vulnerable: 1.66.0 ... 1.93.0rc1 (74 versions)
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. When users update their passwords, the new credentials may be briefly held in the server database. While this doesn't grant the server any add…
CVE-2023-42453LOWCVSS 3.1EG 3.1✓ Fixed in 1.93.0
2023-09-27
vulnerable: 1.34.0 ... 1.93.0rc1 (180 versions)
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Users were able to forge read receipts for any event (if they knew the room ID and event ID). Note that the users were not able to view the ev…
CVE-2023-43796MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.95.1
2023-10-31
vulnerable: 0.33.5 ... 1.95.0rc1 (354 versions)
Synapse is an open-source Matrix homeserver Prior to versions 1.95.1 and 1.96.0rc1, cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver. System adminis…
CVE-2023-45129MEDIUMCVSS 4.9EG 4.9✓ Fixed in 1.94.0
2023-10-10
vulnerable: 0.33.5 ... 1.94.0rc1 (351 versions)
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Prior to version 1.94.0, a malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of serv…
CVE-2024-31208MEDIUMCVSS 6.5EG 6.5✓ Fixed in 1.105.1
2024-04-23
vulnerable: 0.33.5 ... 1.99.0rc1 (376 versions)
Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm…
CVE-2024-37302HIGHCVSS 7.5EG 7.5✓ Fixed in 1.106.0
2024-12-03
vulnerable: 0.33.5 ... 1.99.0rc1 (378 versions)
Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate li…
CVE-2024-37303MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.106.0
2024-12-03
vulnerable: 0.33.5 ... 1.99.0rc1 (378 versions)
Synapse is an open-source Matrix homeserver. Synapse before version 1.106 allows, by design, unauthenticated remote participants to trigger a download and caching of remote media from a remote homeserver to the local media repository. Such…
CVE-2024-52805HIGHCVSS 7.5EG 7.5✓ Fixed in 1.120.1
2024-12-03
vulnerable: 0.33.5 ... 1.99.0rc1 (415 versions)
Synapse is an open-source Matrix homeserver. In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be us…
CVE-2024-52815MEDIUMCVSS 5.3EG 5.3✓ Fixed in 1.120.1
2024-12-03
vulnerable: 0.33.5 ... 1.99.0rc1 (415 versions)
Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invi…
CVE-2024-53863CRITICALCVSS 9.1EG 9.1✓ Fixed in 1.120.1
2024-12-03
vulnerable: 0.33.5 ... 1.99.0rc1 (415 versions)
Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats…
CVE-2024-53867MEDIUMCVSS 4.3EG 4.3✓ Fixed in 1.120.1
2024-12-03
vulnerable: 1.113.0 ... 1.120.0rc1 (19 versions)
Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. Thi…
CVE-2025-61672NONECVSS 0.0EG 0.0✓ Fixed in 1.139.1
2025-10-08
vulnerable: 1.139.0, 1.139.0rc2, 1.139.0rc3
Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpr…

Check whether matrix-synapse is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for matrix-synapse CVEs against the assets you own.

Start Free Scan →