CVE-2025-61672: Synapse's invalid device keys degrade federation functionality
(updated )
Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers.
References
- github.com/advisories/GHSA-fh66-fcv5-jjfr
- github.com/element-hq/synapse
- github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1
- github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740
- github.com/element-hq/synapse/pull/17097
- github.com/element-hq/synapse/releases/tag/v1.138.3
- github.com/element-hq/synapse/releases/tag/v1.138.4
- github.com/element-hq/synapse/releases/tag/v1.139.1
- github.com/element-hq/synapse/releases/tag/v1.139.2
- github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr
- nvd.nist.gov/vuln/detail/CVE-2025-61672
Code Behaviors & Features
Detect and mitigate CVE-2025-61672 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →