Synapse denial of service through media disk space consumption
Description
Synapse is an open-source Matrix homeserver. Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed. Synapse 1.106 introduces a new "leaky bucket" rate limit on remote media downloads to reduce the amount of data a user can request at a time. This does not fully address the issue, but does limit an unauthenticated user's ability to request large amounts of data to be cached.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Synapse before 1.106 allows unauthenticated attackers to exhaust disk space by triggering large remote media downloads, leading to denial of service.
Vulnerability
Overview
CVE-2024-37302 affects Synapse, an open-source Matrix homeserver, in versions prior to 1.106. The vulnerability is a disk fill attack where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limiting strategy is insufficient to prevent this abuse, allowing an attacker to consume disk space rapidly [1][3].
Exploitation and
Attack Surface
The attack is exploitable remotely without authentication. An attacker simply requests remote media through Synapse's federation or client API, causing the server to fetch and cache the content. The lack of adequate rate limiting on remote media downloads means a single unauthenticated user can request a high volume of data, filling the disk [3]. The attack surface is the media download functionality exposed to the internet.
Impact
Successful exploitation leads to denial of service (DoS). The disk fill can cause further media uploads and downloads to fail, and in severe cases, make the Synapse process completely unavailable. The impact depends on deployment configuration; for example, if media is stored on the same volume as the operating system, the entire server may become unresponsive [1][3].
Mitigation
Synapse 1.106 introduces a "leaky bucket" rate limit on remote media downloads to reduce the amount of data a user can request at a time. However, this does not fully resolve the issue, only limits the rate of abuse. Server operators can also decrease the maximum file size allowed and increase request rate limits as workarounds. Placing media on a dedicated disk or volume can reduce the impact of a disk fill [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
matrix-synapsePyPI | < 1.106 | 1.106 |
Affected products
3- Range: <1.106
- element-hq/synapsev5Range: < 1.106
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-4mhg-xv73-xq2xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-37302ghsaADVISORY
- github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2xghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.