Remote denial of service in Matrix Synapse
| Risk | High |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2025-30355 |
| CWE-ID | CWE-20 |
| Exploitation vector | Network |
| Public exploit | This vulnerability is being exploited in the wild. |
| Vulnerable software |
Synapse Server applications / Conferencing, Collaboration and VoIP solutions |
| Vendor | Matrix.org |
Security Bulletin
This security bulletin contains one high risk vulnerability.
1) Input validation error
EUVDB-ID: #VU106284
Risk: High
CVSSv4.0: 4.9 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]
CVE-ID: CVE-2025-30355
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to insufficient validation of user-supplied input. A remote user can pass specially crafted events to the application and prevent it from federating with other servers.
Note, the vulnerability is being exploited in the wild.
MitigationInstall updates from vendor's website.
Vulnerable software versionsSynapse: 1.0.0 - 1.127.0
CPE2.3- cpe:2.3:a:matrix_org:synapse:1.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:matrix_org:synapse:1.1.0:*:*:*:*:*:*:*
- cpe:2.3:a:matrix_org:synapse:1.1.1:*:*:*:*:*:*:*
https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389
https://github.com/element-hq/synapse/releases/tag/v1.127.1
https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
