CVE-2025-30355 — Synapse vulnerable to federation denial of service via malformed events

Description

Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed in Synapse v1.127.1. No known workarounds are available.

How to fix CVE-2025-30355

To remediate CVE-2025-30355, upgrade the affected package to a fixed version below.

—upgrade to 1.121.0-6 or later
—upgrade to 1.127.1 or later

Is CVE-2025-30355 being exploited?

Moderate — EPSS is 13.2%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

from 0, < 1.121.0-6
from 0, < 1.127.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.1	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-30355
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-30355
PATCHgithub.com/element-hq/synapse
WEBgithub.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389