Publish GHSA-fh66-fcv5-jjfr

advisory-database[bot] · advisory-database[bot] · commit 2e02a580ede0 · 2025-10-08T17:52:29.000Z
diff --git a/advisories/github-reviewed/2025/10/GHSA-fh66-fcv5-jjfr/GHSA-fh66-fcv5-jjfr.json b/advisories/github-reviewed/2025/10/GHSA-fh66-fcv5-jjfr/GHSA-fh66-fcv5-jjfr.json
@@ -0,0 +1,108 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fh66-fcv5-jjfr",
+  "modified": "2025-10-08T17:51:02Z",
+  "published": "2025-10-08T17:51:02Z",
+  "aliases": [
+    "CVE-2025-61672"
+  ],
+  "summary": "Synapse's invalid device keys degrade federation functionality",
+  "details": "### Impact\n\nLack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. \n\n### Patches\n\nPatched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2.\n\nNote that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, it is recommend to skip these releases and upgrading straight to 1.138.4 and 1.139.2.\n\n### Workarounds\n\nThe vulnerability can only be exploited by users registered on the victim homeserver.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "matrix-synapse"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.138.3"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "matrix-synapse"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.139.0rc2"
+            },
+            {
+              "fixed": "1.139.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61672"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/element-hq/synapse/pull/17097"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/element-hq/synapse"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/element-hq/synapse/releases/tag/v1.138.3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/element-hq/synapse/releases/tag/v1.138.4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/element-hq/synapse/releases/tag/v1.139.1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/element-hq/synapse/releases/tag/v1.139.2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1287"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-08T17:51:02Z",
+    "nvd_published_at": "2025-10-08T15:16:25Z"
+  }
+}
