Cyber Resilience

CVE-2025-30355

High

Published: 27 March 2025

Published
27 March 2025
Modified
26 August 2025
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
EPSS Score 0.1320 94.3th percentile
Risk Priority 22 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-30355 is a high-severity Improper Input Validation (CWE-20) vulnerability in Matrix Synapse. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

Synapse, an open source Matrix homeserver implementation, is affected by a denial-of-service vulnerability in versions up to 1.127.0. The flaw stems from improper input validation (CWE-20) that allows specially crafted events received over federation to disrupt normal operation, carrying a CVSS 7.1 score reflecting network attack vector, low complexity, and high availability impact.

A malicious federated server can exploit the issue by sending the crafted events to a vulnerable Synapse instance, causing it to stop federating with other servers while leaving other functionality potentially intact. The attack requires the ability to participate in Matrix federation but needs no user interaction or elevated privileges on the target.

The official advisory and release notes state that the vulnerability is resolved in Synapse 1.127.1, with the fix delivered in commit 2277df2a1eb685f85040ef98fa21d41aa4cdd389; no workarounds are available. The GitHub Security Advisory GHSA-v56r-hwv5-mxg6 and the corresponding release tag provide the patch details for administrators.

The vulnerability has already been exploited in the wild. Its EPSS score stands at 0.1320 with no material change from the observed peak.

EU & UK References

Vulnerability details

Synapse is an open source Matrix homeserver implementation. A malicious server can craft events which, when received, prevent Synapse version up to 1.127.0 from federating with other servers. The vulnerability has been exploited in the wild and has been fixed…

more

in Synapse v1.127.1. No known workarounds are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability enables crafted event injection over federation protocol to cause denial-of-federation DoS on the target homeserver, directly mapping to T1499.004 Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22862Shared CWE-20
CVE-2026-22868Shared CWE-20
CVE-2025-70123Shared CWE-20
CVE-2025-61616Shared CWE-20
CVE-2026-22565Shared CWE-20
CVE-2026-22699Shared CWE-20
CVE-2026-33218Shared CWE-20
CVE-2025-59032Shared CWE-20
CVE-2026-22700Shared CWE-20
CVE-2026-27623Shared CWE-20

Affected Assets

matrix
synapse
≤ 1.127.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-2 requires timely identification, reporting, and correction of system flaws, directly mitigating CVE-2025-30355 by patching Synapse to version 1.127.1 to block crafted events disrupting federation.

prevent

SI-10 enforces validation of system information inputs, addressing the improper input validation root cause that allows maliciously crafted federation events to cause denial-of-federation in Synapse.

detect

RA-5 provides vulnerability monitoring and scanning to identify CVE-2025-30355 in Synapse deployments, enabling prioritization and remediation before exploitation.

References