CVE-2022-31052 Information
Description
Synapse is an open source home server implementation for the Matrix chat network. In versions prior to 1.61.1 URL previews of some web pages can exhaust the available stack space for the Synapse process due to unbounded recursion. This is sometimes recoverable and leads to an error for the request causing the problem but in other cases the Synapse process may crash altogether. It is possible to exploit this maliciously either by malicious users on the homeserver or by remote users sending URLs that a local user’s client may automatically request a URL preview for. Remote users are not able to exploit this directly because the URL preview endpoint is authenticated. Deployments with url_preview_enabled: false set in configuration are not affected. Deployments with url_preview_enabled: true set in configuration are affected. Deployments with no configuration value set for url_preview_enabled are not affected because the default is false. Administrators of homeservers with URL previews enabled are advised to upgrade to v1.61.1 or higher. Users unable to upgrade should set url_preview_enabled to false.
Reference
https://github.com/matrix-org/synapse/security/advisories/GHSA-22p3-qrh9-cx32
https://spec.matrix.org/v1.2/client-server-api/#get_matrixmediav3preview_url
https://spec.matrix.org/v1.2/client-server-api/#get_matrixmediav3preview_url
https://github.com/matrix-org/synapse/commit/fa1308061802ac7b7d20e954ba7372c5ac292333
Synapse
is
an
open
source
home
server
implementation
for
the
Matrix
chat
network.
In
versions
prior
to
1.61.1
URL
previews
of
some
web
pages
can
exhaust
the
available
stack
space
for
the
Synapse
process
due
to
unbounded
recursion.
This
is
sometimes
recoverable
and
leads
to
an
error
for
the
request
causing
the
problem
but
in
other
cases
the
Synapse
process
may
crash
altogether.
It
is
possible
to
exploit
this
maliciously
either
by
malicious
users
on
the
homeserver
or
by
remote
users
sending
URLs
that
a
local
user’s
client
may
automatically
request
a
URL
preview
for.
Remote
users
are
not
able
to
exploit
this
directly
because
the
URL
preview
endpoint
is
authenticated.
Deployments
with
url_preview_enabled: false
set
in
configuration
are
not
affected.
Deployments
with
url_preview_enabled: true
set
in
configuration
are
affected.
Deployments
with
no
configuration
value
set
for
url_preview_enabled
are
not
affected
because
the
default
is
false.
Administrators
of
homeservers
with
URL
previews
enabled
are
advised
to
upgrade
to
v1.61.1
or
higher.
Users
unable
to
upgrade
should
set
url_preview_enabled
to
false.