CVE-2024-52805

Name of the Vulnerable Software and Affected Versions Synapse versions prior to 1.120.1

Description The issue concerns Synapse, an open-source Matrix homeserver, where multipart/form-data requests can transiently increase memory consumption beyond expected levels in certain configurations, potentially amplifying denial of service attacks. This can be exploited to increase memory consumption while processing the request.

Recommendations For Synapse versions prior to 1.120.1, update to Synapse 1.120.1 to resolve the issue, as it denies requests with unsupported multipart/form-data content type. As a temporary workaround, consider limiting request sizes or blocking the multipart/form-data content type before the requests reach Synapse, for example, in a reverse proxy. Another approach to mitigate the attack is to use a low max upload size in Synapse.