CVE-2021-21392

Name of the Vulnerable Software and Affected Versions Synapse versions prior to 1.28.0

Description The issue affects Synapse, a Matrix reference homeserver written in python, where requests to user-provided domains were not restricted to external IP addresses when transitional IPv6 addresses were used. This could cause Synapse to make requests to internal infrastructure on dual-stack networks, affecting outbound requests to federation, identity servers, key validity calculations for third-party invite events, push notifications, and URL previews.

Recommendations For Synapse versions prior to 1.28.0, update to version 1.28.0 or later to resolve the issue. As a temporary workaround, consider blocking outbound requests to the following address ranges by a firewall, if unused for internal communication between systems: ::ffff/80, ::0000/80, and 2002::/16.