CVE-2024-53867— Synapse Matrix has a partial room state leak via Sliding Sync
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-53867
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Synapse Matrix has a partial room state leak via Sliding Sync
Source: NVD (National Vulnerability Database)
Vulnerability Description
Synapse is an open-source Matrix homeserver. The Sliding Sync feature on Synapse versions between 1.113.0rc1 and 1.120.0 can leak partial room state changes to users no longer in a room. Non-state events, like messages, are unaffected. This vulnerability is fixed in 1.120.1.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
将系统数据暴露到未授权控制的范围
Source: NVD (National Vulnerability Database)
Vulnerability Title
Element Synapse 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Element Synapse是Element开源的一个开源 Matrix 家庭服务器实现。 Element Synapse存在安全漏洞,该漏洞源于Sliding Sync功能可能会将部分房间状态更改泄露给不再在房间中的用户。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| element-hq | synapse | >= 1.113.0rc1, < 1.120.1 | - |
II. Public POCs for CVE-2024-53867
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-53867
请登录查看更多情报信息。
Same Patch Batch · element-hq · 2024-12-03 · 6 CVEs total
| CVE-2024-37302 | 7.5 HIGH | Synapse denial of service through media disk space consumption |
| CVE-2024-37303 | 5.3 MEDIUM | Synapse unauthenticated writes to the media repository allow planting of problematic conte |
| CVE-2024-53863 | Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially | |
| CVE-2024-52815 | Synapse allows a a malformed invite to break the invitee's `/sync` | |
| CVE-2024-52805 | Synapse allows unsupported content types to lead to memory exhaustion |
IV. Related Vulnerabilities
Same product: synapse
- CVE-2025-61672
Synapse: Invalid device keys degrade federation functionalit - CVE-2025-30355
Synapse vulnerable to federation denial of service via malfo - CVE-2024-37303
Synapse unauthenticated writes to the media repository allow - CVE-2024-37302
Synapse denial of service through media disk space consumpti - CVE-2024-52805
Synapse allows unsupported content types to lead to memory e
Same vendor: element-hq
- CVE-2026-24044
ESS Community Helm Chart has a weak server key generation me - CVE-2025-62425
Matrix Authentication Service account password can be change - CVE-2025-61672
Synapse: Invalid device keys degrade federation functionalit - CVE-2025-59161
In Element Web and Element Desktop, a malicious room can hid - CVE-2025-27599
Element X Android vulnerable to loading malicious web pages
Same weakness: CWE-497
- CVE-2026-7864
Exposure of Sensitive Information to an Unauthorized Actor - CVE-2026-41928
Vvveb < 1.0.8.2 Information Disclosure via Cron Controller - CVE-2026-25468
WordPress Happy Addons for Elementor plugin <= 3.20.8 - Sens - CVE-2026-42644
WordPress BetterDocs plugin <= 4.3.10 - Sensitive Data Expos - CVE-2026-24222
NVIDIA NeMoClaw 安全漏洞
V. Comments for CVE-2024-53867
No comments yet