CVE-2024-53863

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-53863
Synapse is an open-source Matrix homeserver. In Synapse versions before 1.120.1, enabling the dynamic_thumbnails option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. This vulnerability is fixed in 1.120.1.

9.1 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:*
History

26 Aug 2025, 14:59

Type Values Removed Values Added
First Time Matrix synapse
Matrix
References () https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g - () https://github.com/element-hq/synapse/security/advisories/GHSA-vp6v-whfm-rv3g - Vendor Advisory
CVSS v2 : unknown
v3 : unknown 		v2 : unknown
v3 : 9.1
Summary
  • (es) Synapse es un servidor doméstico Matrix de código abierto. En las versiones de Synapse anteriores a la 1.120.1, habilitar la opción dynamic_thumbnails o procesar una solicitud especialmente manipulada podía activar la decodificación y la generación de miniaturas de formatos de imagen poco comunes, lo que podría invocar herramientas externas como Ghostscript para su procesamiento. Esto amplía significativamente la superficie de ataque en un área históricamente vulnerable, lo que presenta un riesgo que supera con creces el beneficio, en particular porque estos formatos rara vez se utilizan en la web abierta o dentro del ecosistema Matrix. Synapse 1.120.1 soluciona el problema al restringir la generación de miniaturas a imágenes en los siguientes formatos ampliamente utilizados: PNG, JPEG, GIF y WebP. Esta vulnerabilidad se solucionó en la versión 1.120.1.
CPE cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:*

03 Dec 2024, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2024-12-03 17:15

Updated : 2025-08-26 14:59

NVD link : CVE-2024-53863

Mitre link : CVE-2024-53863

CVE.ORG link : CVE-2024-53863

JSON object : View

Products Affected

matrix

  • synapse
CWE
CWE-434

Unrestricted Upload of File with Dangerous Type