VYPR
← All advisories
Moderate severityNVD Advisory· Published Oct 31, 2023· Updated Feb 13, 2025

Synapse vulnerable to leak of remote user device information

CVE-2023-43796

Description

Synapse is an open-source Matrix homeserver Prior to versions 1.95.1 and 1.96.0rc1, cached device information of remote users can be queried from Synapse. This can be used to enumerate the remote users known to a homeserver. System administrators are encouraged to upgrade to Synapse 1.95.1 or 1.96.0rc1 to receive a patch. As a workaround, the federation_domain_whitelist can be used to limit federation traffic with a homeserver.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Synapse before 1.95.1/1.96.0rc1 allows remote enumeration of users by querying cached device info of remote users.

Vulnerability

Overview CVE-2023-43796 is an information disclosure vulnerability in Synapse, the open-source Matrix homeserver. The bug allows an attacker to query cached device information for remote users that are not hosted on the target homeserver, enabling user enumeration. The issue exists because the on_federation_query_user_devices and related endpoints did not validate that the queried user belongs to the local homeserver before returning cached data [1][2].

Attack

Vector An attacker can make federation requests to a vulnerable Synapse instance, requesting device keys for arbitrary user IDs. Since the server returns cached device information for any user, including those from other homeservers, the attacker can determine which remote users the homeserver has interacted with or knows about. No authentication is required; the attack is performed over federation protocol [3].

Impact

Successful exploitation allows remote attackers to enumerate the set of remote users known to the homeserver. This information leakage can aid in reconnaissance for further attacks, such as targeting specific users or mapping the social graph of the Matrix network. The vulnerability does not expose private messages or keys, but the enumeration itself is a privacy concern [2][4].

Mitigation

The Synapse project has released patched versions 1.95.1 and 1.96.0rc1. Administrators are strongly advised to upgrade. As a temporary workaround, configuring the federation_domain_whitelist to restrict federation to trusted domains can reduce exposure [1][2].

References
  1. GitHub - matrix-org/synapse: Synapse: Matrix homeserver written in Python/Twisted.
  2. NVD - CVE-2023-43796
  3. Merge pull request from GHSA-mp92-3jfm-3575 · matrix-org/synapse@daec55e
  4. advisory-database/vulns/matrix-synapse/PYSEC-2023-230.yaml at main · pypa/advisory-database

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
matrix-synapsePyPI
< 1.95.11.95.1

Affected products

2

Patches

1
daec55e1fe12

Merge pull request from GHSA-mp92-3jfm-3575

https://github.com/matrix-org/synapsePatrick ClokeOct 31, 2023via ghsa
commit
3 files changed · +16 1
  • synapse/federation/federation_server.py+7 1 modified
    @@ -84,7 +84,7 @@
 from synapse.storage.databases.main.lock import Lock
 from synapse.storage.databases.main.roommember import extract_heroes_from_room_summary
 from synapse.storage.roommember import MemberSummary
-from synapse.types import JsonDict, StateMap, get_domain_from_id
+from synapse.types import JsonDict, StateMap, get_domain_from_id, UserID
 from synapse.util import unwrapFirstError
 from synapse.util.async_helpers import Linearizer, concurrently_execute, gather_results
 from synapse.util.caches.response_cache import ResponseCache
@@ -999,6 +999,12 @@ async def on_query_user_devices(
     async def on_claim_client_keys(
         self, query: List[Tuple[str, str, str, int]], always_include_fallback_keys: bool
     ) -> Dict[str, Any]:
+        if any(
+            not self.hs.is_mine(UserID.from_string(user_id))
+            for user_id, _, _, _ in query
+        ):
+            raise SynapseError(400, "User is not hosted on this homeserver")
+
         log_kv({"message": "Claiming one time keys.", "user, device pairs": query})
         results = await self._e2e_keys_handler.claim_local_one_time_keys(
             query, always_include_fallback_keys=always_include_fallback_keys
  • synapse/handlers/device.py+3 0 modified
    @@ -328,6 +328,9 @@ async def get_user_ids_changed(
         return result
 
     async def on_federation_query_user_devices(self, user_id: str) -> JsonDict:
+        if not self.hs.is_mine(UserID.from_string(user_id)):
+            raise SynapseError(400, "User is not hosted on this homeserver")
+
         stream_id, devices = await self.store.get_e2e_device_keys_for_federation_query(
             user_id
         )
  • synapse/handlers/e2e_keys.py+6 0 modified
    @@ -542,6 +542,12 @@ async def on_federation_query_client_keys(
         device_keys_query: Dict[str, Optional[List[str]]] = query_body.get(
             "device_keys", {}
         )
+        if any(
+            not self.is_mine(UserID.from_string(user_id))
+            for user_id in device_keys_query
+        ):
+            raise SynapseError(400, "User is not hosted on this homeserver")
+
         res = await self.query_local_devices(
             device_keys_query,
             include_displaynames=(

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.