A security issue was found in matrix-synapse before version 1.23.1. A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a /send_join, /send_leave, /invite or /exchange_third_party_invite request. This can lead to a denial of service in which future events will not be correctly sent to other servers over federation. This affects any server which accepts federation requests from untrusted servers.
A security issue was found in matrix-synapse before version 1.23.1. A malicious or poorly-implemented homeserver can inject malformed events into a room by specifying a different room id in the path of a /send_join, /send_leave, /invite or /exchange_third_party_invite request. This can lead to a denial of service in which future events will not be correctly sent to other servers over federation. This affects any server which accepts federation requests from untrusted servers.
https://github.com/matrix-org/synapse/security/advisories/GHSA-hxmp-pqch-c8mm https://github.com/matrix-org/synapse/pull/8776 https://github.com/matrix-org/synapse/commit/3ce2f303f15f6ac3dc352298972dc6e04d9b7a8b
Workaround ========== This issue can be mitigated by disabling federation requests from untrusted servers.