VDB

CVE-2024-31208

CVE-2024-31208 PUBLISHED CVSS 6.5 MEDIUM

Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. Server administrators should upgrade to 1.105.1 or later. Some workarounds are available. One can ban the malicious users or ACL block servers from the rooms and/or leave the room and purge the room using the admin API.

EPSS 4.19% · 88.9th percentile

Risk Scores

CVSS v3.1
6.5
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS Score
4.19%
88.9th percentile

Affected Products

VendorProductVersions
PyPImatrix-synapse0
matrixsynapse0
element-hqsynapse< 1.105.1
fedoraprojectfedora39, 40, 38

Timeline

  • Jan 21, 1970 Security Advisory
  • Apr 23, 2024 CVE Published
  • Apr 24, 2024 EPSS Score
  • Oct 4, 2024 Coalition ESS Score
  • Mar 17, 2025 EPSS Score
  • Mar 29, 2025 EPSS Score
  • Mar 30, 2025 EPSS Score
  • Apr 1, 2025 EPSS Score
  • Apr 2, 2025 EPSS Score
  • Apr 11, 2025 EPSS Score
  • Apr 12, 2025 EPSS Score
  • May 1, 2025 EPSS Score

References

Open in Interactive Console →
$ Console Community · 100/wk Open console ›