Synapse Outgoing federation to specific hosts can be disabled by sending malicious invites
Description
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A malicious user on a Synapse homeserver X with permission to create certain state events can disable outbound federation from X to an arbitrary homeserver Y. Synapse instances with federation disabled are not affected. In versions of Synapse up to and including 1.73, Synapse did not limit the size of invite_room_state, meaning that it was possible to create an arbitrarily large invite event. Synapse 1.74 refuses to create oversized invite_room_state fields. Server operators should upgrade to Synapse 1.74 or newer urgently.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Malicious users can disable outbound federation from a Synapse homeserver by crafting oversized invite events, fixed in version 1.74.
Vulnerability
CVE-2023-32323 is a flaw in Synapse, the open-source Matrix homeserver. The root cause is that Synapse versions up to and including 1.73 did not enforce any size limits on the invite_room_state field within invite events [2]. This allowed any user with permission to create certain state events to generate an arbitrarily large invite event, which could then be used to disrupt outbound federation.
Exploitation
An attacker must be a malicious user on a Synapse homeserver X and have permission to create state events (typically a room admin or moderator) [2]. The attack does not require authentication from external servers; it targets the sending server's own processing of invite events. By crafting an oversized invite_room_state, the attacker can cause the server to fail when sending the invite to another homeserver Y, effectively disabling outbound federation from X to Y. Synapse instances with federation disabled are not affected [2].
Impact
A successful attack allows the malicious user to selectively break federation between their homeserver and any arbitrary target homeserver Y [2]. This can isolate users on Y from communicating with users on X, breaking interoperability that is central to the Matrix protocol. The impact is limited to outbound federation; inbound federation is not affected by this vulnerability.
Mitigation
Synapse 1.74, released on 2022-12-13, refuses to create oversized invite_room_state fields, closing the attack vector [1][2]. Server operators are urged to upgrade to Synapse 1.74 or newer urgently [2]. No workaround is available for earlier versions, as the fix requires server-side enforcement of size limits.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
matrix-synapsePyPI | < 1.74.0 | 1.74.0 |
Affected products
2- matrix-org/synapsev5Range: < 1.74.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-f3wc-3vxv-xmvrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-32323ghsaADVISORY
- github.com/matrix-org/synapse/issues/14492ghsax_refsource_MISCWEB
- github.com/matrix-org/synapse/pull/14642ghsax_refsource_MISCWEB
- github.com/matrix-org/synapse/security/advisories/GHSA-f3wc-3vxv-xmvrghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-67.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QDghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UJIJRP5ZH6B3KGFLHCAKR2IX2Y4Z25QD/mitre
News mentions
0No linked articles in our index yet.