CVE-2025-61672
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-61672, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-10-08

Last updated on: 2025-10-08

Assigner: GitHub, Inc.

Description

Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-10-08
Last Modified
2025-10-08
Generated
2026-07-06
AI Q&A
2025-10-08
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
element matrix_synapse 1.139.1
element matrix_synapse 1.138.3
element matrix_synapse 1.139.2
element matrix_synapse 1.138.4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1287 The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Synapse, an open source Matrix homeserver, is due to a lack of validation for device keys before version 1.138.3 and in version 1.139.0. An attacker registered on the victim homeserver can exploit this to degrade federation functionality, causing unpredictable breaks in outbound federation to other homeservers. The issue has been patched in versions 1.138.3, 1.138.4, 1.139.1, and 1.139.2, but some patches introduced unrelated regressions, so upgrading directly to 1.138.4 or 1.139.2 is recommended.

Impact Analysis

This vulnerability can impact you by allowing an attacker registered on your Synapse homeserver to degrade federation functionality. This means that outbound federation communications to other homeservers can be unpredictably broken, potentially disrupting communication and interoperability with other Matrix homeservers.

Mitigation Strategies

Upgrade Synapse to version 1.138.4 or 1.139.2, as these versions contain the patches for this vulnerability. Avoid upgrading to versions 1.138.3 and 1.139.1 due to unrelated regressions introduced in those releases.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61672. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart