Impact
In Synapse before 1.120.1, multipart/form-data
requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks.
Patches
Synapse 1.120.1 resolves the issue by denying requests with unsupported multipart/form-data
content type.
Workarounds
Limiting request sizes or blocking the multipart/form-data
content type before the requests reach Synapse, for example in a reverse proxy, alleviates the issue. Another approach that mitigates the attack is to use a low max_upload_size
in Synapse.
References
For more information
If you have any questions or comments about this advisory, please email us at security at element.io.
Impact
In Synapse before 1.120.1,
multipart/form-data
requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks.Patches
Synapse 1.120.1 resolves the issue by denying requests with unsupported
multipart/form-data
content type.Workarounds
Limiting request sizes or blocking the
multipart/form-data
content type before the requests reach Synapse, for example in a reverse proxy, alleviates the issue. Another approach that mitigates the attack is to use a lowmax_upload_size
in Synapse.References
For more information
If you have any questions or comments about this advisory, please email us at security at element.io.