What is CVE-2025-61672?

CVE-2025-61672 is a vulnerability in Element-hq Synapse, classified under CWE-1287. Published 2025-10-08.

Is CVE-2025-61672 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Vulnerability in Element-hq Synapse

CVE-2025-61672

Synapse is an open source Matrix homeserver implementation. Lack of validation for device keys in Synapse before 1.138.3 and in Synapse 1.139.0 allow an attacker registered on the victim homeserver to degrade federation functionality, unpr…

EPSS: 0.000 (14.6th percentile) — read the EPSS interpretation.

Affected products

Element-hq Synapse — versions < 1.138.3, = 1.139.0

Weakness classification (CWE)

CWE-1287

Public proof-of-concept exploits

fkie-cad/nvd-json-data-feeds

References

https://github.com/element-hq/synapse/security/advisories/GHSA-fh66-fcv5-jjfr (x_refsource_CONFIRM)
https://github.com/element-hq/synapse/pull/17097 (x_refsource_MISC)
https://github.com/element-hq/synapse/commit/26aaaf9e48fff80cf67a20c691c75d670034b3c1 (x_refsource_MISC)
https://github.com/element-hq/synapse/commit/7069636c2d6d1ef2022287addf3ed8b919ef2740 (x_refsource_MISC)
https://github.com/element-hq/synapse/releases/tag/v1.138.3 (x_refsource_MISC)
https://github.com/element-hq/synapse/releases/tag/v1.139.1 (x_refsource_MISC)

Frequently asked questions

What is CVE-2025-61672?: CVE-2025-61672 is a vulnerability in Element-hq Synapse, classified under CWE-1287. Published 2025-10-08.
Is CVE-2025-61672 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.