Validation Flaw in Synapse Affects Open Source Matrix Homeserver Functionality
CVE-2025-61672

5.3MEDIUM

Key Information:

Vendor

Element-hq

Status
Synapse
Vendor
CVE Published:
8 October 2025

What is CVE-2025-61672?

The Synapse Matrix homeserver, an open source implementation, suffers from a vulnerability due to inadequate validation of device keys in specific versions. This flaw enables an attacker, already registered on the targeted homeserver, to disrupt federation capabilities, resulting in unpredictable failures in outbound federation communication with external homeservers. The issue has been resolved in versions 1.138.4 and 1.139.2, although it is advisable to upgrade directly from earlier versions to these patches to avoid potential regressions introduced in intermediate releases.

Affected Version(s)

synapse < 1.138.3 < 1.138.3

synapse = 1.139.0 = 1.139.0

References

https://github.com/element-hq/synapse/security/advisories...
x_refsource_CONFIRM
https://github.com/element-hq/synapse/pull/17097
x_refsource_MISC
https://github.com/element-hq/synapse/commit/26aaaf9e48ff...
x_refsource_MISC

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-61672 : Validation Flaw in Synapse Affects Open Source Matrix Homeserver Functionality