GHSA-rfq8-j7rh-8hf2
Synapse allows unsupported content types to lead to memory exhaustion
Details
### Impact
In Synapse before 1.120.1, `multipart/form-data` requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks.
### Patches
Synapse 1.120.1 resolves the issue by denying requests with unsupported `multipart/form-data` content type.
### Workarounds
Limiting request sizes or blocking the `multipart/form-data` content type before the requests reach Synapse, for example in a reverse proxy, alleviates the issue. Another approach that mitigates the attack is to use a low `max_upload_size` in Synapse.
### References
- https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518 - https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609
### For more information
If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:security@element.io).
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 1.120.1 pip install --upgrade 'matrix-synapse>=1.120.1' References
- https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2024-52805 [ADVISORY]
- https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518 [WEB]
- https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609 [WEB]
- https://github.com/element-hq/synapse [PACKAGE]