Today we are releasing Synapse 1.105.1, a security release to fix a High severity vulnerability. We advise you to upgrade your Synapse homeservers to this version at your earliest convenience.
The security fix will also be included in our long-term support (LTS) releases, made available for Element Server Suite (ESS) customers as ESS LTS 23.10 and the upcoming ESS LTS 24.04 release. LTS gives customers the opportunity to stay secure and compliant while avoiding large updates with potential breaking changes and new feature additions. See this page for more information about LTS releases.
Vulnerability information:
- Weakness in auth chain indexing allows DoS from remote room members through disk fill and high CPU usage (High, CVE-2024-31208, GHSA-3h7q-rfh9-xm4v)
Exploitation of the vulnerability primarily affects availability, potentially inducing high CPU consumption and accumulation of excessive data in the database of affected instances. Servers in trusted private federations, or those that do not federate, are not affected. See the advisories linked above for more information.
We thank Alexey Shchepin for finding and responsibly disclosing the issue to us, as well as consulting on the security fix, helping further enhance the resilience of our projects against external threats.
If you have any questions or comments about this security release, please email us security at element.io.
