CVE-2021-21393

Name of the Vulnerable Software and Affected Versions Synapse versions prior to 1.28.0

Description The issue is related to missing input validation of some parameters on the endpoints used to confirm third-party identifiers, which could cause excessive use of disk space and memory leading to resource exhaustion. This affects the groups feature, also known as communities, which is not part of the Matrix specification. The chosen maximum lengths are arbitrary, and not all clients might abide by them.

Recommendations For versions prior to 1.28.0, consider disabling the groups feature by setting enable group creation to False to mitigate this issue. Note that the groups feature is disabled by default. At the moment, there is no information about a newer version that contains a fix for this vulnerability, but it is fixed by updating to version 1.28.0 or later.