CVE-2024-52791

MEDIUM

Matrix Media Repo <1.3.8 - Info Disclosure

Title source: llm

Description

Matrix Media Repo (MMR) is a highly configurable multi-homeserver media repository for Matrix. MMR makes requests to other servers as part of normal operation, and these resource owners can return large amounts of JSON back to MMR for parsing. In parsing, MMR can consume large amounts of memory and exhaust available memory. This is fixed in MMR v1.3.8. Users are advised to upgrade. For users unable to upgrade; forward proxies can be configured to block requests to unsafe hosts. Alternatively, MMR processes can be configured with memory limits and auto-restart. Running multiple MMR processes concurrently can help ensure a restart does not overly impact users.

References (2)

[Vendor Advisory] https://github.com/t2bot/matrix-media-repo/security/advisories/GHSA-gp86-q8hg-fpxj

[Release Notes] https://github.com/t2bot/matrix-media-repo/releases/tag/v1.3.8

Scores

CVSS v3 5.3

EPSS 0.0010

EPSS Percentile 27.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-789

Status published

Products (2)

t2bot/matrix-media-repo < 1.3.8

t2bot/matrix-media-repo 0 - 1.3.8Go

Published Jan 16, 2025

Tracked Since Feb 18, 2026