8.2

CVSS Score

4.0

Basic Information

CVE ID

CVE-2024-52805

GHSA ID

GHSA-rfq8-j7rh-8hf2

EPSS Score

0.30308%

CWE

CWE-770

Published

12/3/2024

Updated

12/3/2024

KEV Status

Technology

Python

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-52805

CVE-2024-52805: Synapse allows unsupported content types to lead to memory exhaustion

Impact

In Synapse before 1.120.1, multipart/form-data requests can in certain configurations transiently increase memory consumption beyond expected levels while processing the request, which can be used to amplify denial of service attacks.

Patches

Synapse 1.120.1 resolves the issue by denying requests with unsupported multipart/form-data content type.

Workarounds

Limiting request sizes or blocking the multipart/form-data content type before the requests reach Synapse, for example in a reverse proxy, alleviates the issue. Another approach that mitigates the attack is to use a low max_upload_size in Synapse.

References

https://github.com/twisted/twisted/issues/4688#issuecomment-1167705518
https://github.com/twisted/twisted/issues/4688#issuecomment-2385711609

For more information

If you have any questions or comments about this advisory, please email us at security at element.io.

(GitHub Advisory)

8.2

CVSS Score

4.0

Basic Information

CVE ID

CVE-2024-52805

GHSA ID

GHSA-rfq8-j7rh-8hf2

EPSS Score

0.30308%

CWE

CWE-770

Published

12/3/2024

Updated

12/3/2024

KEV Status

Technology

Python

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
matrix-synapse	pip	< 1.120.1	1.120.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper handling of multipart/form-data requests. Synapse's media upload endpoint (MediaRepositoryResource) likely processes these requests using Twisted's HTTP stack. The high-confidence entry points to Synapse's own media handling code where Content-Type validation was missing before processing. The medium-confidence Twisted function shows the underlying framework behavior that exacerbates the issue when unsupported content types are allowed. The CWE-770 alignment and references to Twisted's multipart processing issues (#4688) support this analysis.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t In Syn*ps* ***or* *.***.*, `multip*rt/*orm-**t*` r*qu*sts **n in **rt*in *on*i*ur*tions tr*nsi*ntly in*r**s* m*mory *onsumption **yon* *xp**t** l*v*ls w*il* pro**ssin* t** r*qu*st, w*i** **n ** us** to *mpli*y **ni*l o* s*rvi** *tt**ks.

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* multip*rt/*orm-**t* r*qu*sts. Syn*ps*'s m**i* uplo** *n*point (M**i*R*positoryR*sour**) lik*ly pro**ss*s t**s* r*qu*sts usin* Twist**'s `*TTP` st**k. T** *i**-*on*i**n** *ntry points to Syn*ps*'s own

8.2

Basic Information

Concerned about an active attack path?

CVE-2024-52805: Synapse allows unsupported content types to lead to memory exhaustion

Impact

Patches

Workarounds

References

For more information

8.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI