CVE-2025-61672

NameCVE-2025-61672
DescriptionSynapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. The issue is patched in Synapse 1.138.3, 1.138.4, 1.139.1, and 1.139.2. Note that even though 1.138.3 and 1.139.1 fix the vulnerability, they inadvertently introduced an unrelated regression. For this reason, the maintainers of Synapse recommend skipping these releases and upgrading straight to 1.138.4 and 1.139.2.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1117854

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
matrix-synapse (PTS)forky, sid1.139.2-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
matrix-synapsesource(unstable)1.139.2-11117854

Notes

https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr
https://github.com/element-hq/synapse/pull/17097
https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1 (v1.139.1)
https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740 (v1.138.3)
Search for package or bug name: Reporting problems