CVE-2021-41119

Name of the Vulnerable Software and Affected Versions wire-server versions prior to 2022-03-01

Description The issue is a denial of service attack via a crafted object causing a hash collision. This collision causes the server to spend at least quadratic time parsing it, which can lead to a denial of service for a heavily used server. The problem has been fixed in wire-server 2022-03-01 and is already deployed on all Wire managed services.

Recommendations For wire-server versions prior to 2022-03-01, update to version 2022-03-01 to resolve the issue. On premise instances of wire-server need to be updated to 2022-03-01, so that their backends are no longer affected. As a temporary workaround, consider restricting the input of crafted objects to minimize the risk of exploitation.