MEDIUM

GHSA-6qf2-7x63-mm6v

Synapse pagination Denial of Service

Details

### Impact

In federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients.

Clients could therefore fail to display room history.

### Patches

Update to Synapse 1.152.1 or later.

### Workarounds

There are no known workarounds for this issue.

### Identifiers

- ELEMENTSEC-2025-1636

### For more information

If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:security@element.io).

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / matrix-synapse

Introduced in: 0 Fixed in: 1.152.1

Fix pip install --upgrade 'matrix-synapse>=1.152.1'

References

https://github.com/element-hq/synapse/security/advisories/GHSA-6qf2-7x63-mm6v [WEB]
https://github.com/element-hq/synapse [PACKAGE]