Loading HuntDB...
Hunt
Vulnerability Intelligence by wss.sh
Home Daily Briefings High Impact CVEs Recent Exploits KEV Catalog GitHub Advisories Latest Updates Security News
Sign In Sign Up

GHSA-x345-32rc-8h85

GitHub Security Advisory

Denial of service attack via push rule patterns in matrix-synapse

✓ GitHub Reviewed MODERATE Has CVE
View on GitHub

Advisory Details

### Impact

"Push rules" can specify [conditions](https://matrix.org/docs/spec/client_server/r0.6.1#conditions) under which they will match, including `event_match`, which matches event content against a pattern including wildcards.

Certain patterns can cause very poor performance in the matching engine, leading to a denial-of-service when processing moderate length events.

### Patches

The issue is patched by https://github.com/matrix-org/synapse/commit/03318a766cac9f8b053db2214d9c332a977d226c.

### Workarounds

A potential workaround might be to prevent users from making custom push rules, by blocking such requests at a reverse-proxy.

### For more information

If you have any questions or comments about this advisory, email us at [email protected].

Affected Packages

PyPI matrix-synapse
Affected versions: 0 (fixed in 1.33.2)

Related CVEs

CVE-2021-29471

Key Information

GHSA ID
GHSA-x345-32rc-8h85
Published
May 13, 2021 8:22 PM
Last Modified
September 30, 2024 8:43 PM
CVSS Score
5.0 /10
Primary Ecosystem
PyPI
Primary Package
matrix-synapse
GitHub Reviewed
✓ Yes

Dataset

Last updated: September 15, 2025 6:32 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.