CVE-2025-30355: Synapse vulnerable to federation denial of service via malformed events

7.1 CVSS

Description

Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available.

Known Exploited

🚨 Marked as known exploited on March 27th, 2025 (23 days ago).

Classification

CVE ID: CVE-2025-30355

CVSS Base Severity: HIGH

CVSS Base Score: 7.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

Problem Types

CWE-20: Improper Input Validation

Affected Products

Vendor: element-hq

Product: synapse

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.7% (probability of being exploited)

EPSS Percentile: 70.83% (scored less or equal to compared to others)

EPSS Date: 2025-04-18 (when was this score calculated)

Stakeholder-Specific Vulnerability Categorization (SSVC)

SSVC Exploitation: none

SSVC Technical Impact: partial

SSVC Automatable: false

References

https://nvd.nist.gov/vuln/detail/CVE-2025-30355
https://github.com/element-hq/synapse/security/advisories/GHSA-v56r-hwv5-mxg6
https://github.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389
https://github.com/element-hq/synapse/releases/tag/v1.127.1

Timeline

2025-03-27 14:40:22 UTC
CVE

Synapse vulnerable to federation denial of service via malformed events
2025-03-27 14:41:41 UTC
🚨 Marked as Known Exploited
2025-03-27 19:15:27 UTC
Github Advisory Database (PIP)

[matrix-synapse] Synapse vulnerable to federation denial of service via malformed events