Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Impact
In federated rooms, malicious homeservers can craft room events in such a way that prevents Synapse from providing full history to paginating clients.
Clients could therefore fail to display room history.
Patches
Update to Synapse 1.152.1 or later.
Workarounds
There are no known workarounds for this issue.
Identifiers
- ELEMENTSEC-2025-1636
For more information
If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:security@element.io).
AnalysisAI
Malicious homeservers in federated Matrix rooms can craft room events that prevent Synapse from delivering complete message history to paginating clients, causing clients to fail displaying room history. This affects Synapse versions prior to 1.152.1 and represents an information disclosure vulnerability where room history may be withheld from legitimate users due to adversarial event construction by a remote federated homeserver.
Technical ContextAI
Synapse is the reference implementation of the Matrix protocol, an open standard for decentralized, interoperable real-time communication. The vulnerability exploits improper validation of room events (CWE-20: Improper Input Validation) in the context of federated architecture, where homeservers communicate across trust boundaries to maintain shared room state. When clients request room history pagination via the Matrix client-server API, Synapse aggregates events from its database and federated sources. Malicious homeservers can craft events with specific properties that cause Synapse's pagination logic to fail, preventing it from returning the complete history slice requested by the client. This is not a traditional denial-of-service against availability, but rather a targeted information disclosure where legitimate historical messages become inaccessible through normal pagination flow.
RemediationAI
Upgrade Matrix Synapse to version 1.152.1 or later immediately. Follow Element's official upgrade guidance at https://github.com/element-hq/synapse to perform the update, which typically involves backing up the database, installing the patched package (pip install matrix-synapse>=1.152.1), and restarting the Synapse service. No workarounds exist; patching is the sole remediation. Organizations unable to patch immediately should consider restricting federated room access or disabling federation temporarily if operationally feasible, though these are crude mitigations that impact user experience and should not substitute for prompt patching.
Same weakness CWE-20 – Improper Input Validation
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32934
GHSA-6qf2-7x63-mm6v