CVE-2024-37303 – Synapse Matrix homeserver versions before 1.106... (How to Fix)

Q: What is the severity of CVE-2024-37303?

CVE-2024-37303 has a CVSS score of 5.3 (MEDIUM). Synapse Matrix homeserver versions before 1.106 allow unauthenticated remote users to trigger downloads of remote media content and cache it locally, making that content available for unauthenticated download from the local server. This enables adversaries to plant problematic content in the media repository. All Synapse instances running vulnerable versions are affected.

📋 TL;DR

Synapse Matrix homeserver versions before 1.106 allow unauthenticated remote users to trigger downloads of remote media content and cache it locally, making that content available for unauthenticated download from the local server. This enables adversaries to plant problematic content in the media repository. All Synapse instances running vulnerable versions are affected.

💻 Affected Systems

Products:

Synapse Matrix homeserver

Versions: All versions before 1.106

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All default configurations are vulnerable. The vulnerability exists in the media download functionality.

📦 What is this software?

Synapse by Matrix

View all CVEs affecting Synapse →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Adversaries could upload malicious or illegal content to the media repository, potentially exposing the server operator to legal liability or reputational damage.

🟠

Likely Case

Attackers could use this to store and distribute inappropriate or malicious media files through the vulnerable server.

🟢

If Mitigated

With authentication required for media downloads, only authorized users can trigger media caching and access cached content.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only unauthenticated access to trigger media downloads from remote servers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.106 and later

Vendor Advisory: https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr

Restart Required: Yes

Instructions:

1. Update Synapse to version 1.106 or later using your package manager or installation method. 2. Restart the Synapse service. 3. Verify the update was successful.

🔧 Temporary Workarounds

Restrict media repository access

all

Implement network-level restrictions to limit access to media endpoints from untrusted sources.

🧯 If You Can't Patch

Implement strict network segmentation to isolate the Synapse server from untrusted networks.
Deploy a web application firewall (WAF) to filter requests to media endpoints.

🔍 How to Verify

Check if Vulnerable:

Check Synapse version: if running version earlier than 1.106, the system is vulnerable.

Check Version:

synctl --version or check synapse.__version__ in Python

Verify Fix Applied:

Confirm Synapse version is 1.106 or later and that authentication is required for media downloads.

📡 Detection & Monitoring

Log Indicators:

Unusual volume of media download requests from unauthenticated sources
Requests to /_matrix/media/v1/download endpoint without authentication

Network Indicators:

High volume of outbound requests to remote media servers triggered by unauthenticated clients

SIEM Query:

source="synapse.log" AND "_matrix/media/v1/download" AND NOT "authenticated_user_id"

📊 Metadata

CVE ID: CVE-2024-37303

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-306

Published: December 3, 2024

Last Updated: August 26, 2025

🔗 References

https://github.com/element-hq/synapse/security/advisories/GHSA-gjgr-7834-rhxr Vendor Advisory
https://github.com/matrix-org/matrix-spec-proposals/pull/3916 Issue Tracking,Patch

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37303, you might also want to check these: