Synapse allows unsupported content types to lead to memory exhaustion
Description
Synapse is an open-source Matrix homeserver. In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks. Synapse 1.120.1 resolves the issue by denying requests with unsupported multipart/form-data content type.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Synapse before 1.120.1 can transiently spike memory when processing multipart/form-data requests, enabling amplified denial-of-service attacks.
Vulnerability
Description
CVE-2024-52805 affects Synapse, an open-source Matrix homeserver. The vulnerability lies in how the server handles multipart/form-data requests. In certain configurations, processing such requests can cause a transient, sharp increase in memory consumption beyond expected levels [1]. This memory amplification is the root cause, exploited to launch denial-of-service attacks.
Exploitation and
Attack Surface
An attacker can exploit this by sending specially crafted multipart/form-data requests to a vulnerable Synapse instance. No special authentication or network position is required; the attack can be launched remotely over the network. The effect is amplified memory usage during request processing, potentially exhausting server resources and impacting service availability for legitimate users [1].
Impact
Successful exploitation leads to a denial-of-service condition. The attacker can amplify the memory impact of their requests, overwhelming the server's capacity and causing degraded performance or complete unavailability of the Matrix homeserver service. This affects all users relying on that Synapse instance.
Mitigation
Synapse version 1.120.1 resolves the issue by denying requests with unsupported multipart/form-data content type altogether [1]. Users should upgrade to at least version 1.120.1 to eliminate the attack vector. For those unable to immediately upgrade, reviewing and restricting multipart/form-data handling may be considered, though no official workaround is documented.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
matrix-synapsePyPI | < 1.120.1 | 1.120.1 |
Affected products
3- Range: <1.120.1
- element-hq/synapsev5Range: < 1.120.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-rfq8-j7rh-8hf2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-52805ghsaADVISORY
- github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2ghsax_refsource_CONFIRMWEB
- github.com/twisted/twisted/issues/4688ghsax_refsource_MISCWEB
- github.com/twisted/twisted/issues/4688ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.