element-hq synapse up to 1.105.0 V2 State Resolution Algorithm allocation of resources
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 6.3 | $0-$5k | 0.00 |
Summary
A vulnerability was found in element-hq synapse up to 1.105.0. It has been rated as critical. Affected is an unknown function of the component V2 State Resolution Algorithm. The manipulation leads to allocation of resources. This vulnerability is documented as CVE-2024-31208. The attack can be initiated remotely. There is not any exploit available. Upgrading the affected component is advised.
Details
A vulnerability, which was classified as critical, has been found in element-hq synapse up to 1.105.0. This issue affects an unknown function of the component V2 State Resolution Algorithm. The manipulation with an unknown input leads to a allocation of resources vulnerability. Using CWE to declare the problem leads to CWE-770. The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor. Impacted is availability. The summary by CVE is:
Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. Server administrators should upgrade to 1.105.1 or later. Some workarounds are available. One can ban the malicious users or ACL block servers from the rooms and/or leave the room and purge the room using the admin API.
The advisory is shared at github.com. The identification of this vulnerability is CVE-2024-31208 since 03/29/2024. The exploitation is known to be easy. The attack may be initiated remotely. Neither technical details nor an exploit are publicly available. MITRE ATT&CK project uses the attack technique T1499 for this issue.
The vulnerability scanner Nessus provides a plugin with the ID 234734 (Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS : Synapse vulnerabilities (USN-7444-1)), which helps to determine the existence of the flaw in a target environment.
Upgrading to version 1.105.1 eliminates this vulnerability. The upgrade is hosted for download at github.com. Applying the patch 55b0aa847a61774b6a3acdc4b177a20dc019f01a is able to eliminate this problem. The bugfix is ready for download at github.com. The best possible mitigation is suggested to be upgrading to the latest version.
The vulnerability is also documented in the vulnerability database at Tenable (234734). If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Product
Vendor
Name
Version
License
Website
CPE 2.3
CPE 2.2
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.5VulDB Meta Temp Score: 6.3
VulDB Base Score: 6.5
VulDB Temp Score: 6.2
VulDB Vector: 🔍
VulDB Reliability: 🔍
CNA Base Score: 6.5
CNA Vector (GitHub, Inc.): 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
Exploiting
Class: Allocation of resourcesCWE: CWE-770 / CWE-400 / CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Physical: No
Local: No
Remote: Yes
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 234734
Nessus Name: Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS : Synapse vulnerabilities (USN-7444-1)
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
0-Day Time: 🔍
Upgrade: synapse 1.105.1
Patch: 55b0aa847a61774b6a3acdc4b177a20dc019f01a
Timeline
03/29/2024 🔍04/23/2024 🔍
04/23/2024 🔍
08/27/2025 🔍
Sources
Product: github.comAdvisory: GHSA-3h7q-rfh9-xm4v
Status: Confirmed
CVE: CVE-2024-31208 (🔍)
GCVE (CVE): GCVE-0-2024-31208
GCVE (VulDB): GCVE-100-261821
Entry
Created: 04/23/2024 20:47Updated: 08/27/2025 00:42
Changes: 04/23/2024 20:47 (67), 04/23/2025 15:02 (3), 08/27/2025 00:42 (1)
Complete: 🔍
Cache ID: 216::103
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
No comments yet. Languages: en.
Please log in to comment.