CVE-2020-26890

Vulnerability

Description Matrix Synapse versions prior to 1.20.0 incorrectly allow non-standard JSON values such as NaN, Infinity, and -Infinity in fields of m.room.member events [1][2]. The root cause is that the application fails to validate or sanitize these IEEE 754 special float values, which are not part of the JSON specification. This oversight permits a specially crafted event to be accepted into a room's state [1].

Exploitation and

Attack Surface An attacker can exploit this vulnerability remotely without authentication by sending a malformed m.room.member event to a vulnerable Synapse server [1]. Since the event is then replicated to all other servers that are members of the same room via Matrix federation, the denial of service propagates to other homeservers and their users [1][2]. The attack requires no special network position or privileges; any federated room the attacker can join is a viable vector.

Impact

The acceptance of such a malformed event causes a Denial of Service (DoS) against the federation itself and common Matrix clients [1]. Clients that attempt to parse or render the affected room state may crash or become unresponsive. The impact is long-lasting: even if the server is upgraded to a patched version, the corrupted event remains in the room state and must be manually redacted by an administrator [1][2]. The effects are not limited to the attacker's server, affecting all participants in the room [1].

Mitigation

The vulnerability is fixed in Matrix Synapse version 1.20.0 [2]. Users should upgrade to this version or later to prevent new occurrences. However, rooms that already contain a malicious event require individual redaction of the offending event to restore normal service [1]. No workaround is available other than upgrading and cleaning existing state.