CVE-2021-41281
📋 TL;DR
This vulnerability allows unauthenticated attackers to trick Synapse Matrix homeservers into downloading files from remote servers to arbitrary directories when the media repository is enabled. Attackers cannot control the final two directory levels or filename, limiting but not eliminating the risk. Only instances with media repository enabled and without federation whitelists are affected.
💻 Affected Systems
- matrix-org/synapse
📦 What is this software?
Fedora by Fedoraproject
Fedora by Fedoraproject
Synapse by Matrix
⚠️ Risk & Real-World Impact
Worst Case
Arbitrary file write to server filesystem, potentially leading to remote code execution if combined with other vulnerabilities or if files are executed in specific contexts.
Likely Case
Denial of service through disk space exhaustion or potential data exfiltration if sensitive files can be accessed through path traversal.
If Mitigated
Limited impact due to random directory/file naming, with only partial path control and no authentication bypass.
🎯 Exploit Status
No authentication required for affected endpoint. Exploitation is straightforward but impact is limited by random path components.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.47.1
Vendor Advisory: https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c
Restart Required: Yes
Instructions:
1. Backup configuration and data. 2. Update Synapse: 'pip install --upgrade matrix-synapse==1.47.1' or use package manager. 3. Restart Synapse service. 4. Verify version with 'synapse --version'.
🔧 Temporary Workarounds
Block vulnerable endpoints via reverse proxy
allBlock the affected media repository endpoints to prevent exploitation, but this disables media functionality.
# Example nginx config: location ~ ^/_matrix/media/ { deny all; }
# Example Apache config: <Location "/_matrix/media/"> Require all denied </Location>
Use hardened systemd configuration
linuxApply systemd hardening for non-containerized deployments to limit filesystem access.
# Add to systemd service file: ProtectSystem=strict
ReadWritePaths=/var/lib/synapse
NoNewPrivileges=true
🧯 If You Can't Patch
- Disable media repository in Synapse configuration (set 'enable_media_repository: false' in homeserver.yaml)
- Configure federation whitelist to restrict remote server access
🔍 How to Verify
Check if Vulnerable:
Check Synapse version with 'synapse --version' or in logs. If version < 1.47.1 and media repository enabled, system is vulnerable.Check Version:
synapse --versionVerify Fix Applied:
Confirm version is 1.47.1 or later with 'synapse --version'. Test media upload/download functionality still works.📡 Detection & Monitoring
Log Indicators:
- Unusual path traversal patterns in media request logs
- Multiple failed media download attempts with '../' sequences
- Unexpected file writes to non-media directories
Network Indicators:
- HTTP requests to /_matrix/media/ with path traversal sequences
- Unusual outbound connections from Synapse to untrusted servers
SIEM Query:
source="synapse.log" AND "_matrix/media" AND (".." OR "%2e%2e")🔗 References
- https://github.com/matrix-org/synapse/commit/91f2bd090
- https://github.com/matrix-org/synapse/releases/tag/v1.47.1
- https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EU7QRE55U4IUEDLKT5IYPWL3UXMELFAS/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N3WY56LCEZ4ZECLWV5KMAXF2PSMUB4F2/
- https://github.com/matrix-org/synapse/commit/91f2bd090
- https://github.com/matrix-org/synapse/releases/tag/v1.47.1
- https://github.com/matrix-org/synapse/security/advisories/GHSA-3hfw-x7gx-437c
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/EU7QRE55U4IUEDLKT5IYPWL3UXMELFAS/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/N3WY56LCEZ4ZECLWV5KMAXF2PSMUB4F2/
