CVE-2024-52805 – Synapse Matrix homeserver versions before 1.120... (How to Fix)

Q: What is the severity of CVE-2024-52805?

CVE-2024-52805 has a CVSS score of 7.5 (HIGH). Synapse Matrix homeserver versions before 1.120.1 have a vulnerability where multipart/form-data requests can cause excessive memory consumption in certain configurations. This can be exploited to amplify denial of service attacks against the server. All Synapse instances with default or custom configurations accepting multipart/form-data are affected.

📋 TL;DR

Synapse Matrix homeserver versions before 1.120.1 have a vulnerability where multipart/form-data requests can cause excessive memory consumption in certain configurations. This can be exploited to amplify denial of service attacks against the server. All Synapse instances with default or custom configurations accepting multipart/form-data are affected.

💻 Affected Systems

Products:

Synapse (Matrix homeserver)

Versions: All versions before 1.120.1

Operating Systems: All operating systems running Synapse

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability affects configurations where multipart/form-data requests are processed. The issue is in the underlying Twisted framework's multipart handling.

📦 What is this software?

Synapse by Matrix

View all CVEs affecting Synapse →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage due to memory exhaustion, causing the Synapse server to crash or become unresponsive, potentially affecting all Matrix users on that homeserver.

🟠

Likely Case

Degraded performance and intermittent service disruptions as memory consumption spikes during request processing, impacting user experience and server reliability.

🟢

If Mitigated

Minimal impact with proper rate limiting, memory monitoring, and request filtering in place, though some performance degradation may still occur during attack attempts.

🌐 Internet-Facing: HIGH - Synapse homeservers are typically internet-facing to allow Matrix federation, making them directly accessible to attackers who can send malicious multipart/form-data requests.

🏢 Internal Only: LOW - If Synapse is deployed in a strictly internal network without external access, risk is reduced but still present from internal threats.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted multipart/form-data requests. No authentication needed, making it accessible to any network-accessible attacker.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.120.1

Vendor Advisory: https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2

Restart Required: Yes

Instructions:

1. Backup your Synapse configuration and database. 2. Update Synapse using pip: 'pip install --upgrade matrix-synapse==1.120.1'. 3. Restart the Synapse service: 'systemctl restart synapse.service' or equivalent. 4. Verify the update with 'synapse --version'.

🔧 Temporary Workarounds

Block multipart/form-data requests

all

Configure reverse proxy or firewall to reject requests with Content-Type: multipart/form-data before they reach Synapse.

# Example nginx configuration:
location / {
    if ($http_content_type ~* "multipart/form-data") {
        return 444;
    }
    proxy_pass http://synapse:8008;
}

Implement rate limiting

all

Configure aggressive rate limiting on multipart/form-data endpoints to reduce attack impact.

# Example using nginx limit_req:
limit_req_zone $binary_remote_addr zone=multipart:10m rate=1r/s;

location /_matrix/client/r0/upload {
    limit_req zone=multipart burst=5 nodelay;
    proxy_pass http://synapse:8008;
}

🧯 If You Can't Patch

Deploy a WAF or reverse proxy with strict request size limits and multipart/form-data filtering
Implement comprehensive monitoring and alerting for memory usage spikes with automated restart procedures

🔍 How to Verify

Check if Vulnerable:

Check Synapse version with 'synapse --version' or examine package version. If version is below 1.120.1, system is vulnerable.

Check Version:

synapse --version

Verify Fix Applied:

After updating, verify with 'synapse --version' shows 1.120.1 or higher. Test by sending a multipart/form-data request - it should be rejected with appropriate error.

📡 Detection & Monitoring

Log Indicators:

Spike in memory usage logs
Multiple requests with Content-Type: multipart/form-data in access logs
Error logs showing multipart processing failures or memory allocation errors

Network Indicators:

Unusually large number of POST requests with multipart/form-data content type
Requests with abnormally large Content-Length headers
Traffic patterns showing repeated upload attempts

SIEM Query:

source="synapse.log" AND ("multipart/form-data" OR "memory allocation" OR "out of memory") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2024-52805

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

Published: December 3, 2024

Last Updated: August 26, 2025

🔗 References

https://github.com/element-hq/synapse/security/advisories/GHSA-rfq8-j7rh-8hf2 Vendor Advisory
https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518 Issue Tracking
https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609 Issue Tracking

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-52805, you might also want to check these: