Synapse vulnerable to federation denial of service via malformed events

GHSA-v56r-hwv5-mxg6 · CVE-2025-30355

Published Mar 27, 2025 · Modified Oct 24, 2025

Description

Impact

A malicious server can craft events with a depth outside the integer range allowed by Canonical JSON. When such an event is received by Synapse version up to 1.127.0, it prevents it from federating with other servers. The vulnerability has been exploited in the wild.

Patches

Fixed in Synapse v1.127.1.

Workarounds

Closed federation environments of trusted servers or non-federating installations are not affected.

For more information

If you have any questions or comments about this advisory, please email us at security at element.io.

References

WEB https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-30355
WEB https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389
PACKAGE https://github.com/element-hq/synapse
WEB https://github.com/element-hq/synapse/releases/tag/v1.127.1

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes