Synapse unauthenticated writes to the media repository allow planting of problematic content

Vulnerability

Description

CVE-2024-37303 affects Synapse, an open-source Matrix homeserver. By design, versions before 1.106 permit unauthenticated remote participants to trigger the download and caching of remote media from a remote homeserver to the local media repository. This means any unauthenticated user on the federated network can cause the server to fetch and store arbitrary media files.[1][4]

Exploitation

The attack surface is broad: no authentication is required, and the attacker only needs to be a remote participant on the Matrix federation. They can craft requests that force the local homeserver to download and cache media from a remote server under their control. The downloaded content then becomes available for download from the local homeserver without any authentication.[1][4]

Impact

An unauthenticated remote adversary can use this functionality to plant problematic or illegal content into the media repository of the targeted homeserver. Once cached, this content can be served to any user (including unauthenticated ones) who requests it, potentially leading to reputational damage, legal liability, or further abuse.[1][4]

Mitigation

Synapse 1.106 introduces a partial mitigation by adding new endpoints that require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release, completely closing the attack vector. In the meantime, server operators can apply stricter rate limits based on IP address as a limited workaround.[1][4] The change is aligned with Matrix Spec Proposal MSC3916, which aims to add authentication to media endpoints.[3]