CVE-2022-39374— Synapse Denial of service due to incorrect application of event authorization rules during state resolution
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2022-39374
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Synapse Denial of service due to incorrect application of event authorization rules during state resolution
Source: NVD (National Vulnerability Database)
Vulnerability Description
Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. If Synapse and a malicious homeserver are both joined to the same room, the malicious homeserver can trick Synapse into accepting previously rejected events into its view of the current state of that room. This can be exploited in a way that causes all further messages and state changes sent in that room from the vulnerable homeserver to be rejected. This issue has been patched in version 1.68.0
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Matrix 资源管理错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Matrix Synapse是英国Matrix基金会的一款矩阵管理服务器的实现。 Matrix Synapse 存在安全漏洞,该漏洞源于如果 Synapse 和恶意家庭服务器都加入了同一个房间,则恶意家庭服务器可以诱使 Synapse 接受先前拒绝的事件,并将其纳入该房间的当前状态视图。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| matrix-org | synapse | >= 1.62.0, < 1.68.0 | - |
II. Public POCs for CVE-2022-39374
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2022-39374
请登录查看更多情报信息。
- https://github.com/matrix-org/synapse/pull/13723x_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2022-39374
Same Patch Batch · matrix-org · 2023-05-26 · 3 CVEs total
| CVE-2023-32323 | 5.0 MEDIUM | Synapse Outgoing federation to specific hosts can be disabled by sending malicious invites |
| CVE-2022-39335 | 5.0 MEDIUM | Synapse does not apply enough checks to servers requesting auth events of events in a room |
IV. Related Vulnerabilities
Same product: synapse
- CVE-2025-61672
Synapse: Invalid device keys degrade federation functionalit - CVE-2025-30355
Synapse vulnerable to federation denial of service via malfo - CVE-2024-37303
Synapse unauthenticated writes to the media repository allow - CVE-2024-37302
Synapse denial of service through media disk space consumpti - CVE-2024-52805
Synapse allows unsupported content types to lead to memory e
Same vendor: matrix-org
- CVE-2025-66622
matrix-sdk-base is vulnerable to DoS via custom m.room.join_ - CVE-2025-59160
matrix-js-sdk has insufficient validation when considering a - CVE-2025-59047
matrix-sdk-base has panic in the `RoomMember::normalized_pow - CVE-2025-53549
Matrix Rust SDK allows SQL injection in the EventCache imple - CVE-2025-48937
matrix-sdk-crypto vulnerable to sender of encrypted events b
Same weakness: CWE-400
- CVE-2026-8187
Open5GS UPF gtp-path.c _gtpv1_u_recv_cb resource consumption - CVE-2026-42343
FastGPT: Uncontrolled Resource Consumption leading to Sandbo - CVE-2026-42212
SolidCAM-GPPL-IDE: XML External Entity (XXE) and billion-lau - CVE-2026-32686
Unbounded exponent in decimal enables unauthenticated DoS - CVE-2026-20188
Cisco Crosswork Network Controller and Cisco Network Service
V. Comments for CVE-2022-39374
No comments yet