-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability lies in the lack of input validation when a user uploads end-to-end encryption keys via the /_matrix/client/v3/keys/upload API endpoint. The analysis of the patch commits 26aaaf9e48fff80cf67a20c691c75d670034b3c1 and 7069636c2d6d1ef2022287addf3ed8b919ef2740 reveals that the KeyUploadServlet.on_POST method in synapse/rest/client/keys.py was the primary point of failure. It accepted a JSON body from the user and passed it to the E2eKeysHandler.upload_keys_for_user function in synapse/handlers/e2e_keys.py without ensuring the data conformed to the expected structure. An attacker could provide an invalid data structure for device_keys, one_time_keys, or fallback_keys (e.g., a list instead of a dictionary). This would cause downstream processing in E2eKeysHandler.upload_keys_for_user to fail, leading to a persistent error state that would break outbound federation from the homeserver. The patch introduces strict validation at the API boundary using a Pydantic model (KeyUploadRequestBody) to reject any malformed requests immediately. Therefore, both the servlet method that accepts the input and the handler method that processes it are identified as key functions in the vulnerability.
KeyUploadServlet.on_POSTsynapse/rest/client/keys.py
E2eKeysHandler.upload_keys_for_usersynapse/handlers/e2e_keys.py
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| matrix-synapse | pip | < 1.138.3 | 1.138.3 |
| matrix-synapse | pip | >= 1.139.0rc2, < 1.139.1 | 1.139.1 |
PythonPythonOngoing coverage of React2Shell