CVE-2024-52805

Advisory

Affected versions of Synapse are vulnerable to allocation of resources without limits or throttling (CWE-770). An attacker can send crafted multipart/form-data requests that transiently increase memory consumption, leading to denial of service. The vulnerability is exploitable through multipart/form-data request processing configurations. Synapse version 1.120.1 mitigates the issue by denying unsupported multipart/form-data content types. To remediate, upgrade to 1.120.1 or limit request sizes and block multipart/form-data via a reverse proxy or by setting a low max_upload_size in Synapse.

Affected package

Affected versions

Fixed versions

Vulnerability changelog

This vulnerability has no description

Resources

• https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518
• https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2
• https://github.com/advisories/GHSA-rfq8-j7rh-8hf2
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-52805