CVE-2025-61672

Description

Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2.

Weakness Type (CWE)

CWE-1287 CWE-1287

References

Other References

https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1 https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740 https://github.com/element-hq/synapse/pull/17097 https://github.com/element-hq/synapse/releases/tag/v1.138.3 https://github.com/element-hq/synapse/releases/tag/v1.139.1 https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr

Frequently Asked Questions

What is CVE-2025-61672? +

Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2.

How do I check if I'm vulnerable to CVE-2025-61672? +

You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2024-8125

Improper Validation of Specified Type of Input vulnerability in OpenText™ Content Management (Extended ECM) allows Parameter Injection. A bad actor …

CVE-2025-9041

A security issue exists due to improper handling of CIP Class 32’s request when a module is inhibited on the …

CVE-2025-9042

A security issue exists due to improper handling of CIP Class 32’s request when a module is inhibited on the …

CVE-2026-7887

For Concrete CMS 9.5.0 and below, OAuth 2.0 Authorization-Code Handler Bypasses Account Status. A user with uIsActive=0 (suspended, banned, terminated …

CVE-2024-6298 10.0

Unauthorized file access in WEB Server in ABB ASPECT - Enterprise v3.08.01; NEXUS Series v3.08.01 ; MATRIX Series v3.08.01 allows …

CVE-2024-51550 10.0

Data Validation / Data Sanitization vulnerabilities in Linux allows unvalidated and unsanitized data to be injected in an Aspect device. …