7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41281

GHSA ID

GHSA-3hfw-x7gx-437c

EPSS Score

0.66906%

CWE

CWE-22

Published

11/23/2021

Updated

9/24/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2021-41281

CVE-2021-41281: Path traversal in Matrix Synapse

Impact

Synapse instances with the media repository enabled can be tricked into downloading a file from a remote server into an arbitrary directory, potentially outside the media store directory.

The last two directories and file name of the path are chosen randomly by Synapse and cannot be controlled by an attacker, which limits the impact.

Homeservers with the media repository disabled are unaffected. Homeservers configured with a federation whitelist are also unaffected.

Patches

Server administrators should upgrade to 1.47.1 or later.

Workarounds

Server administrators using a reverse proxy could, at the expense of losing media functionality, block the following endpoints:

/_matrix/media/r0/download/{serverName}/{mediaId}
/_matrix/media/r0/download/{serverName}/{mediaId}/{fileName}
/_matrix/media/r0/thumbnail/{serverName}/{mediaId}

Alternatively, non-containerized deployments can be adapted to use the hardened systemd config, located at contrib/systemd/override-hardened.conf.

References

n/a

For more information

If you have any questions or comments about this advisory, e-mail us at security@matrix.org.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2021-41281

GHSA ID

GHSA-3hfw-x7gx-437c

EPSS Score

0.66906%

CWE

CWE-22

Published

11/23/2021

Updated

9/24/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
matrix-synapse	pip	< 1.47.1	1.47.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from insufficient validation when constructing file paths from user-controlled inputs. Key evidence includes:

The patch added _validate_path_component checks to all path-building methods in MediaFilePaths
Server name validation was added to parse_media_id
Pre-patch code directly used raw server_name/file_id in os.path.join without sanitization
The CWE-22 classification confirms path traversal via uncontrolled path elements
Commit message explicitly mentions preventing writes outside configured directories

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t Syn*ps* inst*n**s wit* t** m**i* r*pository *n**l** **n ** tri*k** into *ownlo**in* * *il* *rom * r*mot* s*rv*r into *n *r*itr*ry *ir**tory, pot*nti*lly outsi** t** m**i* stor* *ir**tory. T** l*st two *ir**tori*s *n* *il* n*m* o* t** p*t

Reasoning

T** vuln*r**ility st*mm** *rom insu**i*i*nt v*li**tion w**n *onstru*tin* *il* p*t*s *rom us*r-*ontroll** inputs. K*y *vi**n** in*lu**s: *. T** p*t** ***** _v*li**t*_p*t*_*ompon*nt ****ks to *ll p*t*-*uil*in* m*t*o*s in M**i**il*P*t*s *. S*rv*r n*m* v

7.5

Basic Information

Concerned about an active attack path?

CVE-2021-41281: Path traversal in Matrix Synapse

Impact

Patches

Workarounds

References

For more information

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI