Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users.
Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Tue, 26 Aug 2025 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Matrix
Matrix synapse
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:*
Vendors & Products Matrix
Matrix synapse
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}


Wed, 16 Jul 2025 13:45:00 +0000

Type Values Removed Values Added
Metrics epss

{'score': 0.00064}

epss

{'score': 0.00053}


Tue, 03 Dec 2024 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Element-hq
Element-hq synapse
CPEs cpe:2.3:a:element-hq:synapse:*:*:*:*:*:*:*:*
Vendors & Products Element-hq
Element-hq synapse
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 03 Dec 2024 17:15:00 +0000

Type Values Removed Values Added
Title A malformed invite can break the invitee's `/sync` Synapse allows a a malformed invite to break the invitee's `/sync`

Tue, 03 Dec 2024 17:00:00 +0000

Type Values Removed Values Added
Description Synapse is an open-source Matrix homeserver. Synapse versions before 1.120.1 fail to properly validate invites received over federation. This vulnerability allows a malicious server to send a specially crafted invite that disrupts the invited user's /sync functionality. Synapse 1.120.1 rejects such invalid invites received over federation and restores the ability to sync for affected users.
Title A malformed invite can break the invitee's `/sync`
Weaknesses CWE-20
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2024-12-03T19:06:11.082Z

Reserved: 2024-11-15T17:11:13.444Z

Link: CVE-2024-52815

cve-icon Vulnrichment

Updated: 2024-12-03T19:06:00.818Z

cve-icon NVD

Status : Analyzed

Published: 2024-12-03T17:15:12.267

Modified: 2025-08-26T15:02:27.547

Link: CVE-2024-52815

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.