CVE-2024-52805
HIGHSynapse < 1.120.1 - Denial of Service via Multipart/Form-Data Request
Title source: llmDescription
Synapse is an open-source Matrix homeserver. In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks. Synapse 1.120.1 resolves the issue by denying requests with unsupported multipart/form-data content type.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2
Issue Tracking x_refsource_misc
https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518
Issue Tracking x_refsource_misc
https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609
Scores
CVSS v3
7.5
EPSS
0.0109
EPSS Percentile
78.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-770
Status
published
Products (2)
matrix/synapse
< 1.120.1
pypi/matrix-synapse
0 - 1.120.1PyPI
Published
Dec 03, 2024
Tracked Since
Feb 18, 2026