CVE-2025-30355

Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available.

CVSS v3 7.1 HIGH

7.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389	Patch
https://github.com/element-hq/synapse/releases/tag/v1.127.1	Release Notes
https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2025-03-27 01:15

Updated : 2025-08-26 19:24

NVD link : CVE-2025-30355

Mitre link : CVE-2025-30355

CVE.ORG link : CVE-2025-30355

JSON object : View

Products Affected

matrix

synapse

CWE

CWE-20

Improper Input Validation

NVD-CWE-noinfo

{"id": "CVE-2025-30355", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "impactScore": 4.2, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "[email protected]", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-03-27T01:15:12.500", "references": [{"url": "https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389", "tags": ["Patch"], "source": "[email protected]"}, {"url": "https://github.com/element-hq/synapse/releases/tag/v1.127.1", "tags": ["Release Notes"], "source": "[email protected]"}, {"url": "https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6", "tags": ["Vendor Advisory"], "source": "[email protected]"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available."}, {"lang": "es", "value": "Synapse es una implementaci\u00f3n de c\u00f3digo abierto de un servidor dom\u00e9stico Matrix. Un servidor malicioso puede manipular eventos que, al recibirse, impiden que las versiones de Synapse hasta la 1.127.0 se federen con otros servidores. La vulnerabilidad se ha explotado in situ y se ha corregido en Synapse v1.127.1. No se conocen workarounds."}], "lastModified": "2025-08-26T19:24:45.283", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "14AB0CCC-9114-4556-91F4-6142BAC9D568", "versionEndExcluding": "1.127.1"}], "operator": "OR"}]}], "sourceIdentifier": "[email protected]"}