Back to KEVs

CVE-2025-30355

Synapse vulnerable to federation denial of service via malformed events

Basic Information

CVE State
PUBLISHED
Reserved Date
March 21, 2025
Published Date
March 27, 2025
Last Updated
March 27, 2025
Vendor
element-hq
Product
synapse
Description
Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available.

CVSS Scores

CVSS v3.1

7.1 - HIGH

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

SSVC Information

Exploitation
none
Technical Impact
partial

Exploit Status

Exploited in the Wild
Yes (added 2025-03-27 00:00:00 UTC) Source

References

https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6 https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389 https://github.com/element-hq/synapse/releases/tag/v1.127.1

Known Exploited Vulnerability Information

Source Added Date
CVE 2025-03-27 00:00:00 UTC