URL deny list bypass via oEmbed and image URLs when generating previews in Synapse
Description
Synapse is a Matrix protocol homeserver written in Python with the Twisted framework. A discovered oEmbed or image URL can bypass the url_preview_url_blacklist setting potentially allowing server side request forgery or bypassing network policies. Impact is limited to IP addresses allowed by the url_preview_ip_range_blacklist setting (by default this only allows public IPs) and by the limited information returned to the client: 1. For discovered oEmbed URLs, any non-JSON response or a JSON response which includes non-oEmbed information is discarded. 2. For discovered image URLs, any non-image response is discarded. Systems which have URL preview disabled (via the url_preview_enabled setting) or have not configured a url_preview_url_blacklist are not affected. This issue has been addressed in version 1.85.0. Users are advised to upgrade. User unable to upgrade may also disable URL previews.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Synapse URL preview bypass of url_preview_url_blacklist via oEmbed or image URLs allows potential SSRF, fixed in version 1.85.0.
Vulnerability
Details CVE-2023-32683 is a bypass in Synapse, a Matrix homeserver, where discovered oEmbed or image URLs can circumvent the url_preview_url_blacklist configuration setting [1][2]. This could allow server-side request forgery (SSRF) or bypassing network policies, though impact is limited by the url_preview_ip_range_blacklist (default only public IPs) and the restricted information returned to the client [2].
Exploitation
An attacker can craft a message containing an oEmbed or image URL that, when previewed by the server, may bypass the blacklist and cause the server to make requests to unintended IPs [2]. However, non-JSON or non-image responses are discarded, limiting the data leakage [2]. Systems without URL preview enabled or without a configured blacklist are not affected [2].
Impact
Successful exploitation could allow an attacker to perform SSRF attacks within the allowed IP range, potentially accessing internal services or conducting reconnaissance [2]. The severity is considered low due to the constraints [4].
Mitigation
The issue has been fixed in Synapse version 1.85.0 [1][4]. Users are advised to upgrade, or alternatively disable URL previews via url_preview_enabled setting [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
matrix-synapsePyPI | < 1.85.0 | 1.85.0 |
Affected products
2- matrix-org/synapsev5Range: < 1.85.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-98px-6486-j7qcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-32683ghsaADVISORY
- github.com/matrix-org/synapse/pull/15601ghsax_refsource_MISCWEB
- github.com/matrix-org/synapse/releases/tag/v1.85.0ghsaWEB
- github.com/matrix-org/synapse/security/advisories/GHSA-98px-6486-j7qcghsax_refsource_CONFIRMWEB
- github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2023-85.yamlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2ghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6DH5A5YEB5LRIPP32OUW25FCGZFCZU2/mitre
News mentions
0No linked articles in our index yet.