CVE-2023-32323

Name of the Vulnerable Software and Affected Versions Synapse versions up to and including 1.73

Description A malicious user on a Synapse homeserver with permission to create certain state events can disable outbound federation from one homeserver to another. This is possible due to the lack of size limitation on the invite room state field in Synapse versions up to and including 1.73, allowing for the creation of an arbitrarily large invite event. Synapse instances with federation disabled are not affected.

Recommendations For Synapse versions up to and including 1.73, upgrade to Synapse 1.74 or newer urgently. As a partial mitigation, Synapse operators can disable open registration to limit the ability of attackers to create new accounts on the homeserver. If the homeserver has been attacked, restarting it will resume outgoing federation by entering "catchup mode", but this does not prevent the attacker from repeating their attack.