Wojciech Paciorek

**Name of the Vulnerable Software and Affected Versions** Syncthing versions prior to 1.15.0 **Description** The issue allows a malicious relay server to cause Syncthing to crash by sending a malformed relay protocol message with a negative length field. Similarly, the relay server `strelaysrv` can be crashed by sending such a message. This can happen when Syncthing attempts to join a relay and is given a malformed message. It's noted that sensitive data is not exposed due to this issue, and Syncthing would need to be connected to a malicious relay server to exploit it. **Recommendations** For Syncthing versions prior to 1.15.0, update to version 1.15.0 to resolve the issue. As a temporary workaround, consider configuring Syncthing to not use relays, or to only use specific, trusted relays, to minimize the risk of exploitation.