Rikjohnston

**Name of the Vulnerable Software and Affected Versions** Synapse versions prior to 1.85.0 **Description** A discovered oEmbed or image URL can bypass the `url preview url blacklist` setting, potentially allowing server-side request forgery or bypassing network policies. The impact is limited to IP addresses allowed by the `url preview ip range blacklist` setting and by the limited information returned to the client. For discovered oEmbed URLs, any non-JSON response or a JSON response that includes non-oEmbed information is discarded. For discovered image URLs, any non-image response is discarded. Systems with URL preview disabled or without a configured `url preview url blacklist` are not affected. **Recommendations** For versions prior to 1.85.0, upgrade to version 1.85.0 to resolve the issue. As a temporary workaround, consider disabling URL previews by setting `url preview enabled` to False until a patch is available. Restrict access to the `url preview ip range blacklist` setting to minimize the risk of exploitation. Avoid using the `url preview url blacklist` setting in configurations where it may be bypassed until the issue is resolved.