CVE-2024-52791: matrix-media-repo (MMR) allows a denial of service through memory exhaustion

January 16, 2025 (updated January 17, 2025)

MMR makes requests to other servers as part of normal operation, and these resource owners can return large amounts of JSON back to MMR for parsing. In parsing, MMR can consume large amounts of memory and exhaust available memory.

References

github.com/advisories/GHSA-gp86-q8hg-fpxj
github.com/t2bot/matrix-media-repo
github.com/t2bot/matrix-media-repo/releases/tag/v1.3.8
github.com/t2bot/matrix-media-repo/security/advisories/GHSA-gp86-q8hg-fpxj
nvd.nist.gov/vuln/detail/CVE-2024-52791
pkg.go.dev/vuln/GO-2025-3398

Detect and mitigate CVE-2024-52791 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →