Homepage

Improper Validation of Specified Type of Input Affecting matrix-synapse package, versions <1.139.2-1

Severity

 Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.03% (9th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DEBIANUNSTABLE-MATRIXSYNAPSE-13530958
  • published11 Oct 2025
  • disclosed8 Oct 2025
Report a new vulnerability Found a mistake?

Introduced: 8 Oct 2025

NewCVE-2025-61672  (opens in a new tab)
CWE-1287  (opens in a new tab)

How to fix?

Upgrade Debian:unstable matrix-synapse to version 1.139.2-1 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream matrix-synapse package and not the matrix-synapse package as distributed by Debian. See How to fix? for Debian:unstable relevant fixed versions and status.

Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2.