6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-26257

GHSA ID

GHSA-hxmp-pqch-c8mm

EPSS Score

0.62852%

CWE

CWE-74

Published

12/9/2020

Updated

9/24/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-26257

CVE-2020-26257: Denial of service attack via incorrect parameters in Matrix Synapse

Impact

A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a /send_join, /send_leave, /invite or /exchange_third_party_invite request.

This can lead to a denial of service in which future events will not be correctly sent to other servers over federation.

This affects any server which accepts federation requests from untrusted servers.

Patches

Issue is resolved by https://github.com/matrix-org/synapse/pull/8776.

Workarounds

Homeserver administrators could limit access to the federation API to trusted servers (for example via federation_domain_whitelist).

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-26257

GHSA ID

GHSA-hxmp-pqch-c8mm

EPSS Score

0.62852%

CWE

CWE-74

Published

12/9/2020

Updated

9/24/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
matrix-synapse	pip	< 1.23.1	1.23.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from endpoints (/send_join, /send_leave, /invite, /exchange_third_party_invite) trusting room_id from URL path parameters instead of validating against the request body. The fix in PR #8776 shows these functions were modified to use 'room_id' from content via assert_params_in_dict checks. The original implementations' failure to verify path/body consistency allowed attackers to specify conflicting room IDs, leading to state corruption and DoS.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t * m*li*ious or poorly-impl*m*nt** *om*s*rv*r **n inj**t m*l*orm** *v*nts into * room *y sp**i*yin* * *i***r*nt room i* in t** p*t* o* * `/s*n*_join`, `/s*n*_l**v*`, `/invit*` or `/*x***n**_t*ir*_p*rty_invit*` r*qu*st. T*is **n l*** to *

Reasoning

T** vuln*r**ility st*mm** *rom *n*points (/s*n*_join, /s*n*_l**v*, /invit*, /*x***n**_t*ir*_p*rty_invit*) trustin* room_i* *rom URL p*t* p*r*m*t*rs inst*** o* v*li**tin* ***inst t** r*qu*st *o*y. T** *ix in PR #**** s*ows t**s* *un*tions w*r* mo*i*i*

6.5

Basic Information

Concerned about an active attack path?

CVE-2020-26257: Denial of service attack via incorrect parameters in Matrix Synapse

Impact

Patches

Workarounds

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI