CVE-2025-61672

Sažetak

Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2.

Reference

https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1
https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740
https://github.com/element-hq/synapse/pull/17097
https://github.com/element-hq/synapse/releases/tag/v1.138.3
https://github.com/element-hq/synapse/releases/tag/v1.139.1
https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr

CVSS

Base:	0.0
Impact:	None
Exploitability:	None

Pristup

Vektor	Složenost	Autentikacija
None	None	None

Impact

Povjerljivost	Cjelovitost	Dostupnost
None	None	None

CVSS vektor

None

Zadnje važnije ažuriranje

08-10-2025 - 19:38

Objavljeno

08-10-2025 - 15:16