CVE-2018-10657

Name of the Vulnerable Software and Affected Versions Matrix Synapse versions prior to 0.28.1

Description The issue is a denial of service flaw where malicious events injected with depth = 2^63 - 1 render rooms unusable. This is related to the files federation/federation base.py and handlers/message.py. The flaw has been exploited in the wild, with incidents reported in April 2018.

Recommendations For versions prior to 0.28.1, update to version 0.28.1 or later to resolve the issue. As a temporary workaround, consider restricting access to the federation functionality to minimize the risk of exploitation. Avoid using the depth parameter with high values in the affected API endpoints until the issue is resolved.