CVE-2025-30355
Published: 27 March 2025
Summary
CVE-2025-30355 is a high-severity Improper Input Validation (CWE-20) vulnerability in Matrix Synapse. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
Synapse, an open source Matrix homeserver implementation, is affected by a denial-of-service vulnerability in versions up to 1.127.0. The flaw stems from improper input validation (CWE-20) that allows specially crafted events received over federation to disrupt normal operation, carrying a CVSS 7.1 score reflecting network attack vector, low complexity, and high availability impact.
A malicious federated server can exploit the issue by sending the crafted events to a vulnerable Synapse instance, causing it to stop federating with other servers while leaving other functionality potentially intact. The attack requires the ability to participate in Matrix federation but needs no user interaction or elevated privileges on the target.
The official advisory and release notes state that the vulnerability is resolved in Synapse 1.127.1, with the fix delivered in commit 2277df2a1eb685f85040ef98fa21d41aa4cdd389; no workarounds are available. The GitHub Security Advisory GHSA-v56r-hwv5-mxg6 and the corresponding release tag provide the patch details for administrators.
The vulnerability has already been exploited in the wild. Its EPSS score stands at 0.1320 with no material change from the observed peak.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-8265
Vulnerability details
Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed…
more
in Synapse v1.127.1. No known workarounds are available.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables crafted event injection over federation protocol to cause denial-of-federation DoS on the target homeserver, directly mapping to T1499.004 Application or System Exploitation.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-2 requires timely identification, reporting, and correction of system flaws, directly mitigating CVE-2025-30355 by patching Synapse to version 1.127.1 to block crafted events disrupting federation.
SI-10 enforces validation of system information inputs, addressing the improper input validation root cause that allows maliciously crafted federation events to cause denial-of-federation in Synapse.
RA-5 provides vulnerability monitoring and scanning to identify CVE-2025-30355 in Synapse deployments, enabling prioritization and remediation before exploitation.