GMS-2022-624: Uncontrolled Resource Consumption

April 1, 2022 (updated April 5, 2022)

Synapse before 1.52.0 with URL preview functionality enabled will attempt to generate URL previews for media stream URLs without properly limiting connection time. Connections will only be terminated after max_spider_size (default: 10M) bytes have been downloaded, which can in some cases lead to long-lived connections towards the streaming media server (for instance, Icecast). This can cause excessive traffic and connections toward such servers if their stream URL is, for example, posted to a large room with many Synapse instances with URL preview enabled.

References

github.com/advisories/GHSA-4822-jvwx-w47h
github.com/matrix-org/synapse/pull/11784
github.com/matrix-org/synapse/pull/11936
github.com/matrix-org/synapse/releases/tag/v1.52.0
github.com/matrix-org/synapse/releases/tag/v1.53.0
github.com/matrix-org/synapse/security/advisories/GHSA-4822-jvwx-w47h

Code Behaviors & Features

Detect and mitigate GMS-2022-624 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →