Skip to content

Unsupported content types can lead to memory exhaustion

High
sandhose published GHSA-rfq8-j7rh-8hf2 Dec 3, 2024

Package

pip matrix-synapse (pip)

Affected versions

< 1.120.1

Patched versions

1.120.1

Description

Impact

In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks.

Patches

Synapse 1.120.1 resolves the issue by denying requests with unsupported multipart/form-data content type.

Workarounds

Limiting request sizes or blocking the multipart/form-data content type before the requests reach Synapse, for example in a reverse proxy, alleviates the issue. Another approach that mitigates the attack is to use a low max_upload_size in Synapse.

References

For more information

If you have any questions or comments about this advisory, please email us at security at element.io.

Severity

High

CVE ID

CVE-2024-52805

Weaknesses

Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. Learn more on MITRE.