GHSA-v56r-hwv5-mxg6

Source

https://github.com/advisories/GHSA-v56r-hwv5-mxg6

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-v56r-hwv5-mxg6/GHSA-v56r-hwv5-mxg6.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-v56r-hwv5-mxg6

Aliases

CVE-2025-30355

Published

2025-03-27T18:02:14Z

Modified

2025-10-24T19:53:23.702372Z

Severity

7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H CVSS Calculator

Summary

Synapse vulnerable to federation denial of service via malformed events

Details

Impact

A malicious server can craft events with a depth outside the integer range allowed by Canonical JSON. When such an event is received by Synapse version up to 1.127.0, it prevents it from federating with other servers. The vulnerability has been exploited in the wild.

Patches

Fixed in Synapse v1.127.1.

Workarounds

Closed federation environments of trusted servers or non-federating installations are not affected.

For more information

If you have any questions or comments about this advisory, please email us at security at element.io.

Database specific

{
    "nvd_published_at": "2025-03-27T01:15:12Z",
    "github_reviewed_at": "2025-03-27T18:02:14Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-20"
    ],
    "severity": "HIGH"
}

References

Affected packages

PyPI / matrix-synapse

Package

Name: matrix-synapse; View open source insights on deps.dev
Purl: pkg:pypi/matrix-synapse

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.127.1

Affected versions

0.*

0.33.5

0.33.5.1

0.33.6rc1

0.33.6

0.33.7rc1

0.33.7rc2

0.33.7

0.33.8rc2

0.33.8

0.33.9

0.34.0rc1

0.34.0rc2

0.34.0

0.34.0.1

0.34.1.1

0.99.0rc1

0.99.0rc2

0.99.0rc3

0.99.0rc4

0.99.0

0.99.1rc1

0.99.1rc2

0.99.1

0.99.1.1

0.99.2rc1

0.99.2

0.99.3rc1

0.99.3

0.99.3.1

0.99.3.2

0.99.4rc1

0.99.4

0.99.5rc1

0.99.5

0.99.5.1

0.99.5.2

1.*

1.0.0rc1

1.0.0rc2

1.0.0rc3

1.0.0

1.1.0rc1

1.1.0rc2

1.1.0

1.2.0rc1

1.2.0rc2

1.2.0

1.2.1

1.3.0rc1

1.3.0

1.3.1

1.4.0rc1

1.4.0rc2

1.4.0

1.4.1rc1

1.4.1

1.5.0rc1

1.5.0rc2

1.5.0

1.5.1

1.6.0rc1

1.6.0rc2

1.6.0

1.6.1

1.7.0rc1

1.7.0rc2

1.7.0

1.7.1

1.7.2

1.7.3

1.8.0rc1

1.8.0

1.9.0.dev1

1.9.0.dev2

1.9.0rc1

1.9.0

1.9.1

1.10.0rc1

1.10.0rc2

1.10.0rc3

1.10.0rc5

1.10.0

1.10.1

1.11.0rc1

1.11.0

1.11.1

1.12.0rc1

1.12.0

1.12.1rc1

1.12.1

1.12.2

1.12.3

1.12.4rc1

1.12.4

1.13.0rc1

1.13.0rc2

1.13.0rc3

1.13.0

1.14.0rc1

1.14.0rc2

1.14.0

1.15.0rc1

1.15.0

1.15.1

1.15.2

1.16.0rc1

1.16.0rc2

1.16.0

1.16.1

1.17.0rc1

1.17.0

1.18.0rc1

1.18.0rc2

1.18.0

1.19.0rc1

1.19.0

1.19.1rc1

1.19.1

1.19.2

1.19.3

1.20.0rc1

1.20.0rc2

1.20.0rc3

1.20.0rc4

1.20.0rc5

1.20.0

1.20.1

1.21.0rc1

1.21.0rc2

1.21.0rc3

1.21.0

1.21.1

1.21.2

1.22.0rc1

1.22.0rc2

1.22.0

1.22.1

1.23.0rc1

1.23.0

1.23.1

1.24.0rc1

1.24.0rc2

1.24.0

1.25.0rc1

1.25.0

1.26.0rc1

1.26.0rc2

1.26.0

1.27.0rc1

1.27.0rc2

1.27.0

1.28.0rc1

1.28.0

1.29.0rc1

1.29.0

1.30.0rc1

1.30.0

1.30.1

1.31.0rc1

1.31.0

1.32.0rc1

1.32.0

1.32.1

1.32.2

1.33.0rc1

1.33.0rc2

1.33.0

1.33.1

1.33.2

1.34.0rc1

1.34.0

1.35.0rc1

1.35.0rc2

1.35.0rc3

1.35.0

1.35.1

1.36.0rc1

1.36.0rc2

1.36.0

1.37.0rc1

1.37.0

1.37.1rc1

1.37.1

1.38.0rc1

1.38.0rc2

1.38.0rc3

1.38.0

1.38.1

1.39.0rc1

1.39.0rc2

1.39.0rc3

1.39.0

1.40.0rc1

1.40.0rc2

1.40.0rc3

1.40.0

1.41.0rc1

1.41.0

1.41.1

1.42.0rc1

1.42.0rc2

1.42.0

1.43.0rc1

1.43.0rc2

1.43.0

1.44.0rc1

1.44.0rc2

1.44.0rc3

1.44.0

1.45.0rc1

1.45.0rc2

1.45.0

1.45.1

1.46.0rc1

1.46.0

1.47.0rc1

1.47.0rc2

1.47.0rc3

1.47.0

1.47.1

1.48.0rc1

1.48.0

1.49.0rc1

1.49.0

1.49.2

1.50.0rc1

1.50.0rc2

1.50.0

1.50.1

1.50.2

1.51.0rc1

1.51.0rc2

1.51.0

1.52.0rc1

1.52.0

1.53.0rc1

1.53.0

1.54.0rc1

1.54.0

1.55.0rc1

1.55.0

1.55.1

1.55.2

1.56.0rc1

1.56.0

1.57.0rc1

1.57.0

1.57.1

1.58.0rc2

1.58.0

1.58.1

1.59.0rc1

1.59.0rc2

1.59.0

1.59.1

1.60.0rc1

1.60.0rc2

1.60.0

1.61.0rc1

1.61.0

1.61.1

1.62.0rc1

1.62.0rc2

1.62.0rc3

1.62.0

1.63.0rc1

1.63.0

1.63.1

1.64.0rc1

1.64.0rc2

1.64.0

1.65.0rc1

1.65.0rc2

1.65.0

1.66.0rc1

1.66.0rc2

1.66.0

1.67.0rc1

1.67.0

1.68.0rc1

1.68.0rc2

1.68.0

1.69.0rc1

1.69.0rc2

1.69.0rc4

1.69.0

1.70.0rc1

1.70.0rc2

1.70.0

1.70.1

1.71.0rc1

1.71.0rc2

1.71.0

1.72.0rc1

1.72.0

1.73.0rc2

1.73.0

1.74.0rc1

1.74.0

1.75.0rc1

1.75.0rc2

1.75.0

1.76.0rc1

1.76.0rc2

1.76.0

1.77.0rc1

1.77.0rc2

1.77.0

1.78.0rc1

1.78.0

1.79.0rc1

1.79.0rc2

1.79.0

1.80.0rc1

1.80.0rc2

1.80.0

1.81.0rc1

1.81.0rc2

1.81.0

1.82.0rc1

1.82.0

1.83.0rc1

1.83.0

1.84.0rc1

1.84.0

1.84.1

1.85.0rc1

1.85.0rc2

1.85.0

1.85.1

1.85.2

1.86.0rc2

1.86.0

1.87.0rc1

1.87.0

1.88.0rc1

1.88.0

1.89.0rc1

1.89.0

1.90.0rc1

1.90.0

1.91.0rc1

1.91.0

1.91.1

1.91.2

1.92.0rc1

1.92.1

1.92.2

1.92.3

1.93.0rc1

1.93.0

1.94.0rc1

1.94.0

1.95.0rc1

1.95.0

1.95.1

1.96.0rc1

1.96.1

1.97.0rc1

1.97.0

1.98.0rc1

1.98.0

1.99.0rc1

1.99.0

1.100.0rc2

1.100.0rc3

1.100.0

1.101.0rc1

1.101.0

1.102.0rc1

1.102.0

1.103.0rc1

1.103.0

1.104.0rc1

1.104.0

1.105.0rc1

1.105.0

1.105.1

1.106.0rc1

1.106.0

1.107.0rc1

1.107.0

1.108.0rc1

1.108.0

1.109.0rc1

1.109.0rc2

1.109.0rc3

1.109.0

1.110.0rc2

1.110.0rc3

1.110.0

1.111.0rc1

1.111.0rc2

1.111.0

1.111.1

1.112.0rc1

1.112.0

1.113.0rc1

1.113.0

1.114.0rc1

1.114.0rc3

1.114.0

1.115.0rc1

1.115.0rc2

1.115.0

1.116.0rc1

1.116.0rc2

1.116.0

1.117.0rc1

1.117.0

1.118.0rc1

1.118.0

1.119.0rc2

1.119.0

1.120.0rc1

1.120.0

1.120.2

1.121.0rc1

1.121.0

1.121.1

1.122.0rc1

1.122.0

1.123.0rc1

1.123.0

1.124.0rc1

1.124.0rc2

1.124.0rc3

1.124.0

1.125.0rc1

1.125.0

1.126.0rc2

1.126.0rc3

1.126.0

1.127.0rc1

1.127.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-v56r-hwv5-mxg6/GHSA-v56r-hwv5-mxg6.json"