CVE-2025-30355: Synapse vulnerable to federation denial of service via malformed events
A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild.
References
- github.com/advisories/GHSA-v56r-hwv5-mxg6
- github.com/element-hq/synapse
- github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389
- github.com/element-hq/synapse/releases/tag/v1.127.1
- github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6
- nvd.nist.gov/vuln/detail/CVE-2025-30355
Code Behaviors & Features
Detect and mitigate CVE-2025-30355 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →