Tom Sydney Kerckhove

**Name of the Vulnerable Software and Affected Versions** wire-server versions prior to 2022-03-01 **Description** The issue is a denial of service attack via a crafted object causing a hash collision. This collision causes the server to spend at least quadratic time parsing it, which can lead to a denial of service for a heavily used server. The problem has been fixed in wire-server 2022-03-01 and is already deployed on all Wire managed services. **Recommendations** For wire-server versions prior to 2022-03-01, update to version 2022-03-01 to resolve the issue. On premise instances of wire-server need to be updated to 2022-03-01, so that their backends are no longer affected. As a temporary workaround, consider restricting the input of crafted objects to minimize the risk of exploitation.