[Pkg-matrix-maintainers] Bug#1117854: matrix-synapse: CVE-2025-61672
Salvatore Bonaccorso
carnil at debian.org
Sat Oct 11 20:05:16 BST 2025
Source: matrix-synapse
Version: 1.136.0-1
Severity: grave
Tags: security upstream
Justification: user security hole
Forwarded: https://github.com/element-hq/synapse/pull/17097
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for matrix-synapse.
CVE-2025-61672[0]:
| Synapse is an open source Matrix homeserver implementation. Lack of
| validation for device keys in Synapse before 1.138.3 and in Synapse
| 1.139.0 allow an attacker registered on the victim homeserver to
| degrade federation functionality, unpredictably breaking outbound
| federation to other homeservers. The issue is patched in Synapse
| 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though
| 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently
| introduced an unrelated regression. For this reason, the maintainers
| of Synapse recommend skipping these releases and upgrading straight
| to 1.138.4 and 1.139.2.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-61672
https://www.cve.org/CVERecord?id=CVE-2025-61672
[1] https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr
[2] https://github.com/element-hq/synapse/pull/17097
[3] https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1
[4] https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740
Regards,
Salvatore
More information about the Pkg-matrix-maintainers
mailing list