HIGH

GHSA-8q93-326v-3m7g

Synapse CPU starvation (Denial of Service)

Details

### Impact

Local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service.

Homeservers that trust all their local users are not at risk.

### Patches

Update to Synapse 1.152.1 or later.

### Workarounds

If Synapse is deployed behind a reverse proxy, the reverse proxy could be configured to limit the rate of user requests, preventing or increasing the difficulty of the attack.

### Identifiers

- ELEMENTSEC-2026-1706

### For more information

If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:security@element.io).

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / matrix-synapse

Introduced in: 0 Fixed in: 1.152.1

Fix pip install --upgrade 'matrix-synapse>=1.152.1'

References

https://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g [WEB]
https://github.com/element-hq/synapse/issues/19394 [WEB]
https://github.com/element-hq/synapse/commit/3f58bc50dfba5768ee43ce48c5e74c25ba0b078a [WEB]
https://github.com/element-hq/synapse [PACKAGE]