MEDIUM 4.9

PYSEC-2023-199

Details

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Prior to version 1.94.0, a malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers running on a closed federation (which presumably do not need to use server ACLs) are not affected. Server administrators are advised to upgrade to Synapse 1.94.0 or later. As a workaround, rooms with malicious server ACL events can be purged and blocked using the admin API.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / matrix-synapse

Introduced in: 0 Fixed in: 1.94.0

Fix pip install --upgrade 'matrix-synapse>=1.94.0'

References

https://matrix-org.github.io/synapse/latest/admin_api/rooms.html#version-2-new-version [WEB]
https://github.com/matrix-org/synapse/pull/16360 [ADVISORY]
https://github.com/matrix-org/synapse/security/advisories/GHSA-5chr-wjw5-3gq4 [ADVISORY]