Skip to content

Unsupported content types can lead to memory exhaustion

High
sandhose published GHSA-rfq8-j7rh-8hf2 Dec 3, 2024

Package

pip matrix-synapse (pip)

Affected versions

< 1.120.1

Patched versions

1.120.1

Description

Impact

In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks.

Patches

Synapse 1.120.1 resolves the issue by denying requests with unsupported multipart/form-data content type.

Workarounds

Limiting request sizes or blocking the multipart/form-data content type before the requests reach Synapse, for example in a reverse proxy, alleviates the issue. Another approach that mitigates the attack is to use a low max_upload_size in Synapse.

References

For more information

If you have any questions or comments about this advisory, please email us at security at element.io.

Severity

High

CVE ID

CVE-2024-52805

Weaknesses