Upstream information
Description
Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available.SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having important severity.
| CNA (GitHub) | |
|---|---|
| Base Score | 7.1 |
| Vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | None |
| Integrity Impact | Low |
| Availability Impact | High |
| CVSSv3 Version | 3.1 |
SUSE Security Advisories:
- openSUSE-SU-2025:14939-1, published Sat Mar 29 18:50:22 2025
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|---|---|
| openSUSE Tumbleweed |
| Patchnames: openSUSE-Tumbleweed-2025-14939 |
SUSE Timeline for this CVE
CVE page created: Thu Mar 27 04:00:09 2025CVE page last modified: Wed Apr 9 17:27:04 2025