Description
Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. This vulnerability is fixed in 1.120.1.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g
Scores
CVSS v3
9.1
EPSS
0.0096
EPSS Percentile
76.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-434
Status
published
Products (2)
matrix/synapse
< 1.120.1
pypi/matrix-synapse
0 - 1.120.1PyPI
Published
Dec 03, 2024
Tracked Since
Feb 18, 2026