CVE-2025-61672
MEDIUMSynapse < 1.138.3 and 1.139.0 - Federation Degradation via Device Key Validation Bypass
Title source: llmDescription
Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2.
References (6)
Core 6
Core References
Vendor Advisory x_refsource_confirm
https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr
Issue Tracking x_refsource_misc
https://github.com/element-hq/synapse/pull/17097
Patch x_refsource_misc
https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1
Patch x_refsource_misc
https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740
Release Notes x_refsource_misc
https://github.com/element-hq/synapse/releases/tag/v1.138.3
Release Notes x_refsource_misc
https://github.com/element-hq/synapse/releases/tag/v1.139.1
Scores
CVSS v4
5.3
EPSS
0.0044
EPSS Percentile
34.9%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-1287
Status
published
Products (3)
element-hq/synapse
< 1.138.3
element-hq/synapse
= 1.139.0
pypi/matrix-synapse
0 - 1.138.3PyPI
Published
Oct 08, 2025
Tracked Since
Feb 18, 2026