CVE-2022-31052

Name of the Vulnerable Software and Affected Versions Synapse versions prior to 1.61.1

Description The issue arises from unbounded recursion when generating URL previews of certain web pages, potentially exhausting the available stack space for the Synapse process. This can lead to errors or crashes. It can be exploited maliciously by users on the homeserver or by remote users sending specific URLs. However, remote users cannot exploit this directly due to authentication on the URL preview endpoint. Deployments with url preview enabled: false are not affected, while those with url preview enabled: true are affected. By default, url preview enabled is set to false, so deployments without this configuration set are not affected.

Recommendations For versions prior to 1.61.1, upgrade to v1.61.1 or higher to resolve the issue. As a temporary workaround, consider setting url preview enabled to false in the configuration file to prevent exploitation. For deployments using workers, offloading URL previews to dedicated workers can help prevent disruptions to other Synapse functionality in case of a process crash.