CVE-2025-30355

Name
CVE-2025-30355
Description
Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available.
NVD Severity
unknown
Other trackers
CVE, NVD, CERT, CVE Details, CIRCL, Arch Linux, Debian, Red Hat, Ubuntu, Gentoo, SUSE (Bugzilla), SUSE (CVE), Mageia
Mailing lists
oss-security, full-disclosure, bugtraq
Exploits
Exploit DB, Metasploit
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389
MISC https://github.com/element-hq/synapse/releases/tag/v1.127.1
CONFIRM https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6

Match rules

CPE URI Source package Min version Max version
synapse >= 0 < 1.127.1
cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:* synapse >= None < 1.127.1

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
synapse edge-community 1.127.1-r0 jahway603 <jahway603@protonmail.com> fixed
synapse 3.21-community 1.127.1-r0 jahway603 <jahway603@protonmail.com> fixed
synapse edge-community 1.120.2-r0 jahway603 <jahway603@protonmail.com> possibly vulnerable
synapse edge-community 1.121.1-r0 jahway603 <jahway603@protonmail.com> possibly vulnerable
synapse edge-community 1.122.0-r0 jahway603 <jahway603@protonmail.com> possibly vulnerable
synapse edge-community 1.123.0-r0 jahway603 <jahway603@protonmail.com> possibly vulnerable
synapse edge-community 1.124.0-r0 jahway603 <jahway603@protonmail.com> possibly vulnerable
synapse edge-community 1.125.0-r0 jahway603 <jahway603@protonmail.com> possibly vulnerable
synapse edge-community 1.126.0-r0 jahway603 <jahway603@protonmail.com> possibly vulnerable
synapse edge-community 1.127.0-r0 jahway603 <jahway603@protonmail.com> possibly vulnerable