CVE-2025-61672
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-08

Last updated on: 2025-10-08

Assigner: GitHub, Inc.

Description
Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-08
Last Modified
2025-10-08
Generated
2026-06-16
AI Q&A
2025-10-08
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61672
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
element matrix_synapse 1.139.1
element matrix_synapse 1.138.3
element matrix_synapse 1.139.2
element matrix_synapse 1.138.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1287 The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Synapse, an open source Matrix homeserver, is due to a lack of validation for device keys before version 1.138.3 and in version 1.139.0. An attacker registered on the victim homeserver can exploit this to degrade federation functionality, causing unpredictable breaks in outbound federation to other homeservers. The issue has been patched in versions 1.138.3, 1.138.4, 1.139.1, and 1.139.2, but some patches introduced unrelated regressions, so upgrading directly to 1.138.4 or 1.139.2 is recommended.

Impact Analysis

This vulnerability can impact you by allowing an attacker registered on your Synapse homeserver to degrade federation functionality. This means that outbound federation communications to other homeservers can be unpredictably broken, potentially disrupting communication and interoperability with other Matrix homeservers.

Mitigation Strategies

Upgrade Synapse to version 1.138.4 or 1.139.2, as these versions contain the patches for this vulnerability. Avoid upgrading to versions 1.138.3 and 1.139.1 due to unrelated regressions introduced in those releases.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61672. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart