CVE-2024-37302 – Synapse Matrix homeserver versions before 1.106... (How to Fix)

Q: What is the severity of CVE-2024-37302?

CVE-2024-37302 has a CVSS score of 7.5 (HIGH). Synapse Matrix homeserver versions before 1.106 are vulnerable to a disk fill attack where unauthenticated attackers can force the server to download and cache large amounts of remote media. This can cause denial of service ranging from media upload/download failures to complete server unavailability. All Synapse deployments using default configurations are affected.

📋 TL;DR

Synapse Matrix homeserver versions before 1.106 are vulnerable to a disk fill attack where unauthenticated attackers can force the server to download and cache large amounts of remote media. This can cause denial of service ranging from media upload/download failures to complete server unavailability. All Synapse deployments using default configurations are affected.

💻 Affected Systems

Products:

Synapse Matrix homeserver

Versions: All versions before 1.106

Operating Systems: All platforms running Synapse

Default Config Vulnerable: ⚠️ Yes

Notes: Default rate limiting configuration is insufficient to prevent this attack.

📦 What is this software?

Synapse by Matrix

View all CVEs affecting Synapse →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete server unavailability due to disk exhaustion, causing service disruption for all users.

🟠

Likely Case

Degraded performance and media upload/download failures as disk space fills up.

🟢

If Mitigated

Limited impact with proper rate limiting and monitoring in place.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation possible from any internet source.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit but requires network access.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires no authentication and minimal technical skill to execute.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.106 or later

Vendor Advisory: https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x

Restart Required: Yes

Instructions:

1. Backup your Synapse configuration and database. 2. Update Synapse to version 1.106 or later using your package manager or pip. 3. Restart the Synapse service. 4. Verify the new version is running.

🔧 Temporary Workarounds

Implement custom rate limiting

all

Configure stricter rate limits for remote media downloads in Synapse configuration

Edit homeserver.yaml to add rate limiting rules for remote media endpoints

Disk space monitoring and alerts

all

Set up monitoring to alert when disk usage exceeds thresholds

Configure monitoring tools to track /var/lib/synapse/media_cache directory size

🧯 If You Can't Patch

Implement aggressive disk usage monitoring with automated alerts
Configure external rate limiting at network perimeter (firewall/WAF)

🔍 How to Verify

Check if Vulnerable:

Check Synapse version: if version < 1.106, system is vulnerable

Check Version:

synctl --version or check Synapse logs for version information

Verify Fix Applied:

Verify Synapse version is 1.106 or higher and check that remote media rate limiting is enabled

📡 Detection & Monitoring

Log Indicators:

Rapid increase in remote media download requests
Disk space warnings in system logs
High media cache directory growth rate

Network Indicators:

Unusual spikes in outbound traffic to remote media servers
High volume of requests to /_matrix/media/v3/download endpoints

SIEM Query:

source="synapse.log" AND "remote media" AND ("download" OR "cache") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2024-37302

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: December 3, 2024

Last Updated: August 26, 2025

🔗 References

https://github.com/element-hq/synapse/security/advisories/GHSA-4mhg-xv73-xq2x Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37302, you might also want to check these: