Synapse allows unsupported content types to lead to memory exhaustion
GHSA-rfq8-j7rh-8hf2 · CVE-2024-52805
Published · Modified
Description
Impact
In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks.
Patches
Synapse 1.120.1 resolves the issue by denying requests with unsupported multipart/form-data content type.
Workarounds
Limiting request sizes or blocking the multipart/form-data content type before the requests reach Synapse, for example in a reverse proxy, alleviates the issue. Another approach that mitigates the attack is to use a low max_upload_size in Synapse.
References
- https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518
- https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609
For more information
If you have any questions or comments about this advisory, please email us at security at element.io.
References
- WEB https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-52805
- WEB https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518
- WEB https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609
- PACKAGE https://github.com/element-hq/synapse
Ready to move
Start Securing
Free, no credit card | First findings in minutes