Description
Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6
Patch x_refsource_misc
https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389
Release Notes x_refsource_misc
https://github.com/element-hq/synapse/releases/tag/v1.127.1
Scores
CVSS v3
7.1
EPSS
0.1320
EPSS Percentile
94.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
VulnCheck KEV
2025-03-26
CWE
CWE-20
Status
published
Products (2)
matrix/synapse
< 1.127.1
pypi/matrix-synapse
0 - 1.127.1PyPI
Published
Mar 27, 2025
Tracked Since
Feb 18, 2026