HIGH

GHSA-8q93-326v-3m7g

Synapse CPU starvation (Denial of Service)

상세

### Impact

Local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service.

Homeservers that trust all their local users are not at risk.

### Patches

Update to Synapse 1.152.1 or later.

### Workarounds

If Synapse is deployed behind a reverse proxy, the reverse proxy could be configured to limit the rate of user requests, preventing or increasing the difficulty of the attack.

### Identifiers

- ELEMENTSEC-2026-1706

### For more information

If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:security@element.io).

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / matrix-synapse

최초 영향 버전: 0 수정 버전: 1.152.1

수정 pip install --upgrade 'matrix-synapse>=1.152.1'

참고

https://github.com/element-hq/synapse/security/advisories/GHSA-8q93-326v-3m7g [WEB]
https://github.com/element-hq/synapse/issues/19394 [WEB]
https://github.com/element-hq/synapse/commit/3f58bc50dfba5768ee43ce48c5e74c25ba0b078a [WEB]
https://github.com/element-hq/synapse [PACKAGE]