CVE-2022-41952

Name of the Vulnerable Software and Affected Versions Synapse versions prior to 1.53.0

Description The issue arises when Synapse attempts to generate URL previews for media stream URLs without properly limiting connection time. Connections are only terminated after a certain amount of data (max spider size, default 10M) has been downloaded, potentially leading to long-lived connections and excessive traffic towards streaming media servers like Icecast. This can occur if a stream URL is posted to a large room with many Synapse instances that have URL preview enabled. Version 1.52.0 introduces a timeout mechanism to terminate URL preview connections after 30 seconds, and version 1.53.0 further implements an allow list for content types to attempt URL previews.

Recommendations To fully resolve the issue, upgrade to version 1.53.0. As a temporary workaround, turn off URL preview functionality by setting url preview enabled: false in the Synapse configuration file.