Impact
A malicious server can craft events with a depth outside the integer range allowed by Canonical JSON. When such an event is received by Synapse version up to 1.127.0, it prevents it from federating with other servers. The vulnerability has been exploited in the wild.
Patches
Fixed in Synapse v1.127.1.
Workarounds
Closed federation environments of trusted servers or non-federating installations are not affected.
For more information
If you have any questions or comments about this advisory, please email us at security at element.io.
Impact
A malicious server can craft events with a
depthoutside the integer range allowed by Canonical JSON. When such an event is received by Synapse version up to 1.127.0, it prevents it from federating with other servers. The vulnerability has been exploited in the wild.Patches
Fixed in Synapse v1.127.1.
Workarounds
Closed federation environments of trusted servers or non-federating installations are not affected.
For more information
If you have any questions or comments about this advisory, please email us at security at element.io.