pkg:PyPI/matrix-synapse

75 total CVEsCRITICAL1HIGH20MEDIUM37LOW14

✅ Check your installed version

All known vulnerabilities

  • CRITICAL9.1CVE-2024-53863Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders
    from 0, < 1.120.1
  • HIGH8.8CVE-2018-16515Matrix Synapse Improper Signature Validation
    >= 0.33.3, < 0.33.3.1
  • HIGH8.6CVE-2019-18835Improper Verification of Cryptographic Signature in matrix-synapse
    from 0, < 1.5.0
  • HIGH8.6CVE-2019-18835Improper Verification of Cryptographic Signature in matrix-synapse
    from 0, < 1.5.0
  • HIGH7.5CVE-2024-52805Synapse allows unsupported content types to lead to memory exhaustion
    from 0, < 1.120.1
  • HIGH7.5CVE-2024-37302Synapse denial of service through media disk space consumption
    from 0, < 1.106
  • HIGH7.5CVE-2024-37302Synapse denial of service through media disk space consumption
    from 0, < 1.106.0
  • HIGH7.5CVE-2022-31152Denial of service due to incorrect application of event authorization rules
    from 0, < 1.62.0
  • HIGH7.5CVE-2022-31152Denial of service due to incorrect application of event authorization rules
    from 0, < 1.62.0rc1
  • HIGH7.5CVE-2019-11842matrix-sydent and matrix-synapse Use Cryptographically Weak PRNG
    from 0, < 0.99.3.1
  • HIGH7.5CVE-2019-11842matrix-sydent and matrix-synapse Use Cryptographically Weak PRNG
    from 0, < 0.99.3.1
  • HIGH7.5CVE-2018-10657Matrix Synapse DoS
    from 0, < 0.28.1
  • HIGH7.5CVE-2018-12423Matrix Synapse Authorization Error
    from 0, < 0.31.2
  • HIGH7.5CVE-2018-12291Matrix Synapse Security Filtering Flaw
    from 0, < 0.31.1
  • HIGH7.5CVE-2019-5885Matrix Synapse Predictable Secret Key
    from 0, < 0.34.0.1
  • HIGH7.5CVE-2019-5885Matrix Synapse Predictable Secret Key
    from 0, < 0.34.0.1
  • HIGH7.5CVE-2021-41281Path traversal in Matrix Synapse
    from 0, < 1.47.1
  • HIGH7.5CVE-2021-41281Path traversal in Matrix Synapse
    from 0, < 91f2bd0907f1d05af67166846988e49644eb650c | from 0, < 1.47.1
  • HIGH7.5CVE-2020-26890Denial of service attack due to invalid JSON
    from 0, < 1.20.0
  • HIGH7.5CVE-2020-26890Denial of service attack due to invalid JSON
    from 0, < 1.20.0
  • HIGH7.1CVE-2025-30355Synapse vulnerable to federation denial of service via malformed events
    from 0, < 1.127.1
  • MEDIUM6.9CVE-2021-21332Cross-site scripting (XSS) vulnerability in the password reset endpoint
    from 0, < e54746bdf7d5c831eabe4dcea76a7626f1de73df | from 0, < 1.27.0
  • MEDIUM6.9CVE-2021-21332Cross-site scripting (XSS) vulnerability in the password reset endpoint
    from 0, < 1.27.0
  • MEDIUM6.5CVE-2024-31208Synapse V2 state resolution weakness allows Denial of Service (DoS)
    from 0, < 1.105.1
  • MEDIUM6.5CVE-2024-31208Synapse V2 state resolution weakness allows Denial of Service (DoS)
    from 0, < 55b0aa847a61774b6a3acdc4b177a20dc019f01a | from 0, < 1.105.1
  • MEDIUM6.5CVE-2022-39374Synapse Denial of service due to incorrect application of event authorization rules during state resolution
    >= 1.62.0, < 1.68.0
  • MEDIUM6.5CVE-2022-39374Synapse Denial of service due to incorrect application of event authorization rules during state resolution
    >= 1.62.0, < 1.68.0rc1
  • MEDIUM6.5CVE-2022-31052URL previews of unusual or maliciously-crafted pages can crash Synapse media repositories or Synapse monoliths
    from 0, < fa1308061802ac7b7d20e954ba7372c5ac292333 | from 0, < 1.61.1
  • MEDIUM6.5CVE-2022-31052URL previews of unusual or maliciously-crafted pages can crash Synapse media repositories or Synapse monoliths
    from 0, < 1.61.1
  • MEDIUM6.5CVE-2020-26257Denial of service attack via incorrect parameters in Matrix Synapse
    from 0, < 1.23.1
  • MEDIUM6.5CVE-2020-26257Denial of service attack via incorrect parameters in Matrix Synapse
    from 0, < 3ce2f303f15f6ac3dc352298972dc6e04d9b7a8b | from 0, < 1.23.1
  • MEDIUM6.3CVE-2021-21392Open redirect via transitional IPv6 addresses on dual-stack networks
    from 0, < 1.28.0
  • MEDIUM6.3CVE-2021-21392Open redirect via transitional IPv6 addresses on dual-stack networks
    from 0, < 1.28.0rc1
  • MEDIUM6.1CVE-2021-21333HTML injection in email and account expiry notifications
    from 0, < e54746bdf7d5c831eabe4dcea76a7626f1de73df | from 0, < 1.27.0
  • MEDIUM6.1CVE-2021-21333HTML injection in email and account expiry notifications
    from 0, < 1.27.0
  • MEDIUM6.1CVE-2020-26891Cross-site scripting (XSS) vulnerability in the fallback authentication endpoint
    from 0, < 1.21.0
  • MEDIUM6.1CVE-2020-26891Cross-site scripting (XSS) vulnerability in the fallback authentication endpoint
    from 0, < 1.21.0
  • MEDIUM5.4CVE-2023-32682Synapse has improper checks for deactivated users during login
    from 0, < 1.85.0
  • MEDIUM5.4CVE-2023-32682Synapse has improper checks for deactivated users during login
    from 0, < 1.85.0
  • MEDIUM5.3CVE-2024-52815Synapse allows a a malformed invite to break the invitee's `/sync`
    from 0, < 1.120.1
  • MEDIUM5.3CVE-2024-37303Synapse's unauthenticated writes to the media repository allow planting of problematic content
    from 0, < 1.106
  • MEDIUM5.3CVE-2024-37303Synapse's unauthenticated writes to the media repository allow planting of problematic content
    from 0, < 1.106.0
  • MEDIUM5.3CVE-2023-43796Synapse vulnerable to leak of remote user device information
    from 0, < 1.95.1
  • MEDIUM5.3CVE-2023-43796Synapse vulnerable to leak of remote user device information
    from 0, < daec55e1fe120c564240c5386e77941372bf458f | from 0, < 1.95.1
  • MEDIUM5.3CVE-2022-41952Uncontrolled Resource Consumption in Matrix Synapse
    from 0, < 1.53.0
  • MEDIUM5.3CVE-2021-21394Denial of service (via resource exhaustion) due to improper input validation on third-party identifier endpoints
    from 0, < 1.28.0
  • MEDIUM5.3CVE-2021-21394Denial of service (via resource exhaustion) due to improper input validation on third-party identifier endpoints
    from 0, < 1.28.0
  • MEDIUM5.3CVE-2021-21393Denial of service (via resource exhaustion) due to improper input validation on groups/communities endpoints
    from 0, < 1.28.0
  • MEDIUM5.3CVE-2021-21393Denial of service (via resource exhaustion) due to improper input validation on groups/communities endpoints
    from 0, < 1.28.0
  • MEDIUM5.0CVE-2023-32323Synapse Outgoing federation to specific hosts can be disabled by sending malicious invites
    from 0, < 1.74.0
  • MEDIUM5.0CVE-2023-32323Synapse Outgoing federation to specific hosts can be disabled by sending malicious invites
    from 0, < 1.74.0
  • MEDIUM5.0CVE-2022-39335Synapse does not apply enough checks to servers requesting auth events of events in a room
    from 0, < 1.69.0
  • MEDIUM5.0CVE-2022-39335Synapse does not apply enough checks to servers requesting auth events of events in a room
    from 0, < 1.69.0
  • MEDIUM4.9CVE-2023-45129matrix-synapse vulnerable to denial of service due to malicious server ACL events
    from 0, < 1.94.0
  • MEDIUM4.9CVE-2023-45129matrix-synapse vulnerable to denial of service due to malicious server ACL events
    from 0, < 1.94.0
  • MEDIUM4.3CVE-2024-53867Synapse Matrix has a partial room state leak via Sliding Sync
    >= 1.113.0rc1, < 1.120.1
  • MEDIUM4.3CVE-2021-21274Denial of service attack via .well-known lookups
    from 0, < ff5c4da1289cb5e097902b3e55b771be342c29d6 | >= 0.99.0, < 1.25.0
  • MEDIUM4.3CVE-2021-21274Denial of service attack via .well-known lookups
    >= 0.99.0, < 1.25.0
  • LOW3.7CVE-2023-41335matrix-synapse vulnerable to temporary storage of plaintext passwords during password changes
    >= 1.66.0, < 1.93.0
  • LOW3.7CVE-2023-41335matrix-synapse vulnerable to temporary storage of plaintext passwords during password changes
    >= 1.66.0, < 1.93.0
  • LOW3.7CVE-2021-29471Denial of service attack via push rule patterns in matrix-synapse
    from 0, < 1.33.2
  • LOW3.7CVE-2021-29471Denial of service attack via push rule patterns in matrix-synapse
    from 0, < 03318a766cac9f8b053db2214d9c332a977d226c | from 0, < 1.33.2
  • LOW3.5CVE-2023-32683Synapse has URL deny list bypass via oEmbed and image URLs when generating previews
    from 0, < 1.85.0
  • LOW3.5CVE-2023-32683Synapse has URL deny list bypass via oEmbed and image URLs when generating previews
    from 0, < 1.85.0
  • LOW3.1CVE-2023-42453matrix-synapse vulnerable to improper validation of receipts allows forged read receipts
    >= 0.34.0, < 1.93.0
  • LOW3.1CVE-2023-42453matrix-synapse vulnerable to improper validation of receipts allows forged read receipts
    >= 1.34.0, < 1.93.0
  • LOW3.1CVE-2021-39163Adding a private/unlisted room to a community exposes room metadata in an unauthorised manner.
    from 0, < cb35df940a828bc40b96daed997b5ad4c7842fd3 | from 0, < 1.41.1
  • LOW3.1CVE-2021-39163Adding a private/unlisted room to a community exposes room metadata in an unauthorised manner.
    from 0, < 1.41.1
  • LOW3.1CVE-2021-39164Improper authorisation of members discloses room membership to non-members
    from 0, < cb35df940a828bc40b96daed997b5ad4c7842fd3 | from 0, < 1.41.1
  • LOW3.1CVE-2021-39164Improper authorisation of members discloses room membership to non-members
    from 0, < 1.41.1
  • LOW3.1CVE-2021-21273Open redirects on some federation and push requests
    from 0, < 1.25.0
  • LOW3.1CVE-2021-21273Open redirects on some federation and push requests
    from 0, < 30fba6210834a4ecd91badf0c8f3eb278b72e746 | from 0, < 1.25.0
  • CVE-2026-45076Synapse pagination Denial of Service
    from 0, < 1.152.1
  • CVE-2026-45078Synapse CPU starvation (Denial of Service)
    from 0, < 1.152.1
  • CVE-2025-61672Synapse's invalid device keys degrade federation functionality
    from 0, < 1.138.3