Synapse: Invalid device keys degrade federation functionality_CVE-2025-61672

5.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N

Description

Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2.

Basic Information

ID CVE-2025-61672

Source GitHub_M

Published Oct 8, 2025 at 14:55

Affected Product

Vendor element-hq

Product synapse

Version < 1.138.3

Affected Versions element-hq synapse < 1.138.3
element-hq synapse = 1.139.0

CWE Classification

CWE-1287

References

{
    "lastseen": "",
    "description": "Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2.",
    "published": "2025-10-08T14:55:06.378Z",
    "modified": "2025-10-08T14:55:06.378Z",
    "type": "cve",
    "title": "Synapse: Invalid device keys degrade federation functionality",
    "source": "GitHub_M",
    "references": "https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr\nhttps://github.com/element-hq/synapse/pull/17097\nhttps://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1\nhttps://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740\nhttps://github.com/element-hq/synapse/releases/tag/v1.138.3\nhttps://github.com/element-hq/synapse/releases/tag/v1.139.1",
    "id": "CVE-2025-61672",
    "bulletinFamily": "",
    "cwe": [
        "CWE-1287"
    ],
    "cvelist": null,
    "sourceData": "element-hq synapse < 1.138.3\nelement-hq synapse = 1.139.0",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "synapse",
    "version": "< 1.138.3",
    "vendor": "element-hq",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}