Safety vulnerability ID: 74426
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Affected versions of Synapse are vulnerable to Allocation of Resources Without Limits or Throttling (CWE-770). This vulnerability allows unauthenticated attackers to induce excessive remote media downloads, potentially exhausting disk space and causing denial of service, ranging from failed media operations to complete Synapse unavailability. The attack vector exploits unauthenticated media download endpoints with inadequate rate limiting. To mitigate this issue, upgrade to Synapse version 1.106 or later, which introduces a "leaky bucket" rate limit on media downloads. Additionally, server operators can limit maximum file sizes or allocate media storage to dedicated disks to reduce impact.
Latest version: 1.121.1
Homeserver for the Matrix decentralised comms protocol
This vulnerability has no description
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application