Safety vulnerability ID: 74425
The information on this page was manually curated by our Cybersecurity Intelligence Team.
Affected versions of Synapse are vulnerable to Missing Authentication for Critical Function (CWE-306). This flaw allows unauthenticated remote users to download and cache media on the local repository, making such content accessible without authentication. The attack is executed via unauthenticated media download endpoints, enabling remote exploitation without credentials. To mitigate this issue, upgrade to Synapse version 1.106 or later, which requires authentication for media downloads. Additionally, server operators can apply stricter IP-based rate limits as a temporary workaround.
Latest version: 1.121.1
Homeserver for the Matrix decentralised comms protocol
This vulnerability has no description
Scan your Python project for dependency vulnerabilities in two minutes
Scan your application