HIGH 7.1

GHSA-v56r-hwv5-mxg6

Synapse vulnerable to federation denial of service via malformed events

상세

### Impact A malicious server can craft events with a `depth` outside the integer range allowed by Canonical JSON. When such an event is received by Synapse version up to 1.127.0, it prevents it from federating with other servers. The vulnerability has been exploited in the wild.

### Patches Fixed in Synapse v1.127.1.

### Workarounds Closed federation environments of trusted servers or non-federating installations are not affected.

### For more information

If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:security@element.io).

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

PyPI / matrix-synapse

최초 영향 버전: 0 수정 버전: 1.127.1

수정 pip install --upgrade 'matrix-synapse>=1.127.1'

참고

https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2025-30355 [ADVISORY]
https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389 [WEB]
https://github.com/element-hq/synapse [PACKAGE]
https://github.com/element-hq/synapse/releases/tag/v1.127.1 [WEB]