CVE-2024-37302: Synapse denial of service through media disk space consumption

December 3, 2024 (updated June 6, 2026)

Synapse versions before 1.106 are vulnerable to a disk fill attack, where an unauthenticated adversary can induce Synapse to download and cache large amounts of remote media. The default rate limit strategy is insufficient to mitigate this. This can lead to a denial of service, ranging from further media uploads/downloads failing to completely unavailability of the Synapse process, depending on how Synapse was deployed.

References

github.com/advisories/GHSA-4mhg-xv73-xq2x
github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x
github.com/pypa/advisory-database/tree/main/vulns/matrix-synapse/PYSEC-2024-286.yaml
nvd.nist.gov/vuln/detail/CVE-2024-37302

Code Behaviors & Features

Detect and mitigate CVE-2024-37302 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →