CVE-2024-52791

CVE-2024-52791 is a memory exhaustion vulnerability (CWE-789) in Matrix Media Repo (MMR), a highly configurable multi-homeserver media repository for the Matrix protocol. During normal operation, MMR fetches resources from other servers, which can respond with excessively large JSON payloads. Parsing these payloads causes MMR to consume significant amounts of memory, potentially leading to exhaustion of available resources. The vulnerability is rated with a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).

Any attacker controlling a server that MMR requests resources from can exploit this issue remotely without authentication or user interaction. By serving oversized JSON responses, the attacker triggers high memory usage in MMR during parsing, resulting in denial-of-service through resource exhaustion and potential service crashes.

The vulnerability is fixed in MMR version 1.3.8, and users are advised to upgrade immediately. For those unable to upgrade, mitigations include configuring forward proxies to block requests to unsafe hosts, setting memory limits on MMR processes with auto-restart capabilities, or running multiple MMR processes concurrently to minimize downtime during restarts. Details are available in the GitHub security advisory (GHSA-gp86-q8hg-fpxj) and release notes for v1.3.8.