CVE-2020-26257

Name of the Vulnerable Software and Affected Versions Matrix Synapse versions prior to 1.23.1

Description A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of API endpoints such as /send join, /send leave, /invite, or /exchange third party invite. This can lead to a denial of service in which future events will not be correctly sent to other servers over federation. The issue affects any server that accepts federation requests from untrusted servers.

Recommendations For versions prior to 1.23.1, update to version 1.23.1 to resolve the issue. As a temporary workaround, homeserver administrators could limit access to the federation API to trusted servers, for example via federation domain whitelist.