CVE-2023-32323

Severity CVSS v4.0:
Pending analysis
Type:
CWE-20 Input Validation
Publication date:
26/05/2023
Last modified:
13/02/2025

Description

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of `invite_room_state`, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized `invite_room_state` fields. Server operators should upgrade to Synapse 1.74 or newer urgently.

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:* 1.74.0 (excluding)