CVE-2021-29453
MEDIUMmatrix-media-repo < 1.2.7 - Denial of Service via Malicious Image Thumbnailing
Title source: llmDescription
matrix-media-repo is an open-source multi-domain media repository for Matrix. Versions 1.2.6 and earlier of matrix-media-repo do not properly handle malicious images which are crafted to be small in file size, but large in complexity. A malicious user could upload a relatively small image in terms of file size, using particular image formats, which expands to have extremely large dimensions during the process of thumbnailing. The server can be exhausted of memory in the process of trying to load the whole image into memory for thumbnailing, leading to denial of service. Version 1.2.7 has a fix for the vulnerability.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/turt2live/matrix-media-repo/security/advisories/GHSA-j889-h476-hh9h
Third Party Advisory x_refsource_misc
https://hub.docker.com/r/turt2live/matrix-media-repo/tags?page=1&ordering=last_updated
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/turt2live/matrix-media-repo/releases/tag/v1.2.7
Scores
CVSS v3
5.7
EPSS
0.0100
EPSS Percentile
58.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Details
CWE
CWE-400
CWE-770
Status
published
Products (1)
matrix-media-repo_project/matrix-media-repo
< 1.2.7
Published
Apr 19, 2021
Tracked Since
Feb 18, 2026