Allocation of Resources Without Limits or Throttling The advisory has been revoked - it doesn't affect any version of package matrix-synapse  (opens in a new tab)


Threat Intelligence

EPSS
1.17% (64th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-UBUNTU2004-MATRIXSYNAPSE-5960695
  • published8 Apr 2025
  • disclosed10 Oct 2023

Introduced: 10 Oct 2023

CVE-2023-45129  (opens in a new tab)
CWE-770  (opens in a new tab)

Amendment

The Ubuntu security team deemed this advisory irrelevant for Ubuntu:20.04.

NVD Description

Note: Versions mentioned in the description apply only to the upstream matrix-synapse package and not the matrix-synapse package as distributed by Ubuntu.

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. Prior to version 1.94.0, a malicious server ACL event can impact performance temporarily or permanently leading to a persistent denial of service. Homeservers running on a closed federation (which presumably do not need to use server ACLs) are not affected. Server administrators are advised to upgrade to Synapse 1.94.0 or later. As a workaround, rooms with malicious server ACL events can be purged and blocked using the admin API.