CVE-2021-29430

Name of the Vulnerable Software and Affected Versions: Sydent versions prior to 89071a1, 0523511, f56eee3

Description: Sydent is a reference Matrix identity server that does not limit the size of requests it receives from HTTP clients, allowing a malicious user to send an HTTP request with a very large body, leading to memory exhaustion and denial of service. Additionally, Sydent does not limit response size for requests it makes to remote Matrix homeservers, which could lead to memory exhaustion and denial of service if a malicious homeserver returns a very large response. This issue affects any server that accepts registration requests from untrusted clients.

Recommendations: For versions prior to 89071a1, 0523511, f56eee3, update to one of these releases to resolve the issue. As a temporary workaround, consider limiting request sizes in an HTTP reverse-proxy to minimize the risk of exploitation. Note: There are no known workarounds for the problem with overlarge responses from remote Matrix homeservers.