CVE-2025-61672
BaseFortify
Publication date: 2025-10-08
Last updated on: 2025-10-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| element | matrix_synapse | 1.139.1 |
| element | matrix_synapse | 1.138.3 |
| element | matrix_synapse | 1.139.2 |
| element | matrix_synapse | 1.138.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1287 | The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Synapse, an open source Matrix homeserver, is due to a lack of validation for device keys before version 1.138.3 and in version 1.139.0. An attacker registered on the victim homeserver can exploit this to degrade federation functionality, causing unpredictable breaks in outbound federation to other homeservers. The issue has been patched in versions 1.138.3, 1.138.4, 1.139.1, and 1.139.2, but some patches introduced unrelated regressions, so upgrading directly to 1.138.4 or 1.139.2 is recommended.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker registered on your Synapse homeserver to degrade federation functionality. This means that outbound federation communications to other homeservers can be unpredictably broken, potentially disrupting communication and interoperability with other Matrix homeservers.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Synapse to version 1.138.4 or 1.139.2, as these versions contain the patches for this vulnerability. Avoid upgrading to versions 1.138.3 and 1.139.1 due to unrelated regressions introduced in those releases.