CVE-2025-30355
Published: 27 March 2025
Description
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Security Summary
CVE-2025-30355 is a vulnerability in Synapse, an open-source Matrix homeserver implementation, affecting versions up to 1.127.0. It stems from improper input validation (CWE-20), enabling a malicious server to craft events that, when received by a vulnerable Synapse instance, prevent it from federating with other servers. The flaw carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H), highlighting high availability impact with low complexity and privileges required.
An attacker controlling a malicious Matrix server with low privileges can exploit this over the network by sending crafted events to a target Synapse homeserver during federation. Successful exploitation disrupts the victim's ability to federate with other servers, causing a denial-of-federation condition that severely impairs Matrix communication interoperability without compromising confidentiality.
Synapse maintainers have fixed the vulnerability in version 1.127.1, as detailed in the GitHub security advisory (GHSA-v56r-hwv5-mxg6), the patching commit (2277df2a1eb685f85040ef98fa21d41aa4cdd389), and the release notes. No known workarounds exist, so administrators must upgrade promptly.
The vulnerability has been exploited in the wild, underscoring the urgency for Synapse operators to patch affected deployments.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Vulnerability enables crafted event injection over federation protocol to cause denial-of-federation DoS on the target homeserver, directly mapping to T1499.004 Application or System Exploitation.