Running outdated versions of Synapse is a problem

February 20, 2025
Security

The German Federal Office for Information Security clearly states that it is good security practice to update software as soon as possible when there are new fixes published by the software manufacturer. Similarly, the Cyber Resilience Act in section 56 states: “One of the most important measures for users to take in order to protect their products with digital elements from cyberattacks is to install the latest available security updates as soon as possible.”

We couldn’t agree more. Therefore, for anyone still running Synapse version 1.98.0 or earlier, it’s time to upgrade. To be clear, we’re referring to the version prior to the licensing changes 15 months ago. Running a Matrix homeserver on 1.98.0 (or older) leaves users and organisations insecure and exposed to unmitigated risks.  

Don’t put your communications at risk

Synapse is the reference homeserver for Matrix-based communication. Originally licensed under Apache 2.0, it allowed highly permissive use. In November 2023 we announced Synapse was moving to the AGPLv3 license, in order to encourage commercial Matrix deployments to contribute to supporting Synapse’s development costs. The AGPL requires organisations to contribute to development by publishing their modifications to the codebase or, if that’s not possible, by buying an alternative commercial license from the relevant rights holder. 

This transition happened in December 2023, and if you’re still using the old Apache-licensed Synapse version 1.98.0 or older, you’re running unsupported, vulnerable software. Your options are either:

  • Upgrade to the latest AGPL Synapse for free and honour its licensing (i.e. make any derived products and changes to the code publicly available)
  • Enter a commercial agreement with Element that provides an alternative to AGPL’s requirements, while also receiving support and compliance guarantees from Element
  • Maintain the outdated version independently, which requires handling all security patches and recreating AGPL developments without violating the AGPL - an immense burden in terms of time, cost and expertise

For public sector and enterprise users, staying on version 1.98.0 isn’t just impractical, it’s a serious security risk.

An incident waiting to happen

Synapse version 1.98.0 has multiple known issues:

  • Two critical vulnerabilities CVE-2024-41671 and CVE-2024-31208 expose organisations to attack
  • Authenticated media access is missing, despite being required for compliance with gematik TI-Messenger Pro/ePA specifications (more details: MSC3916)
  • Matrix 1.10, 1.11, 1.12 and 1.13 are unsupported, and Matrix 1.11 is required for TI-M Pro/ePA (see gematik announcement for details)
  • Older versions of Synapse lack encryption stability bugfixes that are critical for federated environments (like TI-M), leading to undecryptable messages.
  • Unpatched message retention bugs cause database bloat and eventual system failure. A fix is coming in Synapse 1.124, but only for AGPL versions.

All of these issues are already known about today. It is difficult to justify being exposed to the risks they present, especially in the event of something bad happening; imagine having to justify to a regulator why you didn’t mitigate these risks. 

You’re missing out

Those still on Synapse version 1.98.0 are missing out on major new benefits introduced during the past 15 months. Public sector and enterprise deployments need the latest and most robust options available. The following aren't available in version 1.98.0:

  • Advanced authentication - Support for Matrix Authentication Service (MAS) and OpenID Connect (OIDC)
  • Native Sliding Sync (since 1.114.0) – required for Element X (our next generation mobile app)
  • QR code login support with Matrix Authentication Service (MAS) – simplifies authentication for end users
  • Authenticated media - avoids unauthorised access to content and abuse of Matrix servers as a free content hosting service
  • Admin API improvements enhance our trust and safety practises
  • Stability and performance fixes - continuous improvements that aren’t backported to outdated versions (see changelog here and here)

Meet your regulatory obligations

Users of outdated Synapse versions face regulatory compliance risks. Public sectors such as healthcare, defence and government administration must adhere to strict security and data protection regulations. Unsupported software leads to serious security and compliance risks and therefore it simply isn’t a viable option. Regulatory frameworks require up-to-date security patches so using outdated versions of Synapse can result in non-compliance, legal liabilities and breaches. For example the German Federal Office for Information Security (BSI) in its guidelines for patch and change management OPS.1.1.3.A15 of the IT-Basic Protection (IT-Grundschutz) regulation points out that “IT systems and software should be regularly updated” and decisions to not do this have to be documented with justification.

When adhering to the requirements of AGPL (publishing changes to the underlying codebase) isn’t an option, entering a commercial agreement with us means you don’t have to publish the code changes. A commercial agreement also comes with other benefits at no extra cost, such as:

  • Long-Term Support (LTS) - Regular security updates and stability improvements without introducing new, potentially disruptive features
  • Access to our ‘Advance Security Advisory Programme’ for early vulnerability warnings and rapid fixes, reducing the risk of downtime or breaches

In regulated areas compliance is critical. You need to take every opportunity to mitigate risk.

Don’t freeride on outdated software

System Integrators (SIs) working with public sector clients must be vigilant. When an SI builds on outdated Synapse versions, they are exposing critical infrastructure to unmitigated risk in terms of security vulnerabilities, compliance issues and legal consequences.

The bottom line? Using outdated versions of Synapse is not just a bad idea, it’s a critical security and compliance risk. The only responsible path forward is to stay up to date with the latest version of Synapse. This isn’t principally about accessing new features, it’s about protecting organisations from insecure, unsupported software, particularly when what is at stake involves large organisations funded by the taxpayer and handling vast amounts of taxpayers’ personal data.

If you are interested in finding out more about getting a commercial license for Synapse, visit the Build webpage.

Archie W

Related Posts

Synapse
ESS 24.07: Enhanced deployment health monitoring and next generation authentication
We’re excited to bring you Element Server Suite (ESS) 24.07, this month’s release includes several improvements to make your organisation’s Element experience smoother and more efficient.
Archie W
31/07/2024
Cybersecurity
Disney’s Slack breach tells an important story
News of Disney’s alleged Slack breach shows what can happen when organisations trust centralised communications platforms that don’t use end-to-end encryption
Steve Loynes
14/07/2024
Security
Security release: Element X Android (0.4.12) and iOS (1.6.7)
We have released security updates
Element Security
15/05/2024
Security
Security release: Synapse 1.105.1
Today we are releasing Synapse
Element Security
23/04/2024

By the same author

Releases
Element X is now available with LTS ESS 24.10
We’re excited to announce the release of ESS 24.10, the latest Long-Term Support (LTS) version of the Element Server Suite! This is an important milestone as it brings Element X to customers who require the six monthly LTS releases of ESS.
Archie W
13/11/2024
Element
We have lift-off! Element X, Call and Server Suite are ready!
Element is launching the world’s first communications platform based on the upcoming Matrix 2.0 release. The result is blazing performance which outperforms the mainstream alternatives...
Archie W
20/09/2024
Matrix
Element sponsors public sector track at The Matrix Conference
Excitement around The Matrix Conference is really beginning to build! The Matrix Conference is significant as it’s the first global in-person event that The Matrix.org Foundation has created. It complements the phenomenal Matrix Community Summits that have run since 2022, and...
Archie W
6/08/2024
Synapse
ESS 24.07: Enhanced deployment health monitoring and next generation authentication
We’re excited to bring you Element Server Suite (ESS) 24.07, this month’s release includes several improvements to make your organisation’s Element experience smoother and more efficient.
Archie W
31/07/2024

Element is the fast, simple and private way to communicate with family, friends, teams, colleagues, organisations and the wider world.

Thanks for reading our blog— if you got this far, you should head toelement.ioto learn more!

Get started

For Web, Android, iOS, macOS, Windows & Linux