Upstream information
Description
Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2.SUSE information
Overall state of this security issue: Does not affect SUSE products
This issue is currently rated as having moderate severity.
| CVSS detail | CNA (GitHub) |
|---|---|
| Base Score | 5.3 |
| Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
| Attack Vector | Network |
| Attack Complexity | Low |
| Attack Requirements | None |
| Privileges Required | Low |
| User Interaction | None |
| Vulnerable System Confidentiality Impact | None |
| Vulnerable System Integrity Impact | Low |
| Vulnerable System Availability Impact | Low |
| Subsequent System Confidentiality Impact | None |
| Subsequent System Integrity Impact | None |
| Subsequent System Availability Impact | None |
| CVSSv4 Version | 4.0 |
List of released packages
| Product(s) | Fixed package version(s) | References |
|---|---|---|
| openSUSE Tumbleweed |
| Patchnames: openSUSE-Tumbleweed-2025-15603 |
SUSE Timeline for this CVE
CVE page created: Tue Oct 7 15:15:08 2025CVE page last modified: Thu Oct 9 01:25:03 2025