Skip to content
This repository has been archived by the owner on Apr 26, 2024. It is now read-only.

Denial of service attack via push rule patterns

Moderate
richvdh published GHSA-x345-32rc-8h85 May 11, 2021

Package

pip matrix-synapse (pip)

Affected versions

< 1.33.2

Patched versions

>= 1.33.2

Description

Impact

"Push rules" can specify conditions under which they will match, including event_match, which matches event content against a pattern including wildcards.

Certain patterns can cause very poor performance in the matching engine, leading to a denial-of-service when processing moderate length events.

Patches

The issue is patched by 03318a7.

Workarounds

A potential workaround might be to prevent users from making custom push rules, by blocking such requests at a reverse-proxy.

For more information

If you have any questions or comments about this advisory, email us at security@matrix.org.

Severity

Moderate

CVE ID

CVE-2021-29471

Weaknesses

No CWEs