CVE-2024-31208

Publication date 23 April 2024

Last updated 23 April 2025

Ubuntu priority

Medium

Why this priority?

Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. Server administrators should upgrade to 1.105.1 or later. Some workarounds are available. One can ban the malicious users or ACL block servers from the rooms and/or leave the room and purge the room using the admin API.

Read the notes from the security team

Status

Package Ubuntu Release Status
matrix-synapse 24.10 oracular Ignored fix infeasible
24.04 LTS noble Ignored fix infeasible
23.10 mantic Ignored end of life, was needs-triage
22.04 LTS jammy
20.04 LTS focal Ignored patch infeasible
18.04 LTS bionic Ignored patch infeasible
synapse 25.04 plucky
Needs evaluation
24.10 oracular
Needs evaluation
24.04 LTS noble
Needs evaluation
23.10 mantic Ignored end of life, was needs-triage
22.04 LTS jammy
Needs evaluation
20.04 LTS focal
Needs evaluation
18.04 LTS bionic
Needs evaluation
16.04 LTS xenial
Needs evaluation

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro

Notes

john-breton

matrix-synapse versions < 1.53.0-1 have major changes that prevent a patch from being feasibly applied for for this CVE. Noble and oracular are FTBFS for matrix-synapse and will be ignored due to the infeasibility of providing fixes for the releases.