Arbitrary file upload in Element-hq Synapse

CVE-2024-53863

Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats…

Vulnerability class: Unrestricted File Upload

EPSS: 0.010 (76.8th percentile) — read the EPSS interpretation.

Affected products

Element-hq Synapse — versions < 1.120.1

Weakness classification (CWE)

CWE-434 — Unrestricted Upload of File with Dangerous Type

References

https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g (x_refsource_CONFIRM)