HIGH 7.1
GHSA-v56r-hwv5-mxg6
Synapse vulnerable to federation denial of service via malformed events
Details
### Impact A malicious server can craft events with a `depth` outside the integer range allowed by Canonical JSON. When such an event is received by Synapse version up to 1.127.0, it prevents it from federating with other servers. The vulnerability has been exploited in the wild.
### Patches Fixed in Synapse v1.127.1.
### Workarounds Closed federation environments of trusted servers or non-federating installations are not affected.
### For more information
If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:security@element.io).
Are you affected?
Enter the version of the package you're using.
Affected packages
PyPI / matrix-synapse
Introduced in:
0 Fixed in: 1.127.1 Fix
pip install --upgrade 'matrix-synapse>=1.127.1' References
- https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2025-30355 [ADVISORY]
- https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389 [WEB]
- https://github.com/element-hq/synapse [PACKAGE]
- https://github.com/element-hq/synapse/releases/tag/v1.127.1 [WEB]