CVE-2024-37302

Name of the Vulnerable Software and Affected Versions Synapse versions prior to 1.106

Description Synapse is an open-source Matrix homeserver. The issue allows an unauthenticated adversary to induce Synapse to download and cache large amounts of remote media, leading to a denial of service. This can range from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Synapse 1.106 introduces a new "leaky bucket" rate limit on remote media downloads to reduce the amount of data a user can request at a time, limiting an unauthenticated user's ability to request large amounts of data to be cached.

Recommendations For Synapse versions prior to 1.106, consider decreasing the maximum file size allowed and increasing request rate limits as a temporary workaround. Additionally, server operators may wish to put media on a dedicated disk or volume to reduce the impact of a disk fill condition. To fully address the issue, update to Synapse version 1.106 or later, which introduces the new "leaky bucket" rate limit on remote media downloads.