CVE-2025-30355 HIGH

CVE-2025-30355: Synapse vulnerable to federation denial of service via malformed events

Vendor Element-Hq
Product synapse
Weakness CWE-20 · Input validation
Published March 27, 2025
Last update March 27, 2025

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

What the vulnerability does

01Description

Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available.

Key dates

02Disclosure timeline

March 27, 2025 CVE published
March 27, 2025 Record updated