CVE-2025-30355: Synapse vulnerable to federation denial of service via malformed events
(updated )
A malicious server can craft events with a depth outside the integer range allowed by Canonical JSON. When such an event is received by Synapse version up to 1.127.0, it prevents it from federating with other servers. The vulnerability has been exploited in the wild.
References
- github.com/advisories/GHSA-v56r-hwv5-mxg6
- github.com/element-hq/synapse
- github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389
- github.com/element-hq/synapse/releases/tag/v1.127.1
- github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6
- nvd.nist.gov/vuln/detail/CVE-2025-30355
Code Behaviors & Features
Detect and mitigate CVE-2025-30355 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →