Impact
Local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service.
Homeservers that trust all their local users are not at risk.
Patches
Update to Synapse 1.152.1 or later.
Workarounds
If Synapse is deployed behind a reverse proxy, the reverse proxy could be configured to limit the rate of user requests,
preventing or increasing the difficulty of the attack.
Identifiers
For more information
If you have any questions or comments about this advisory, please email us at security at element.io.
Impact
Local authenticated users can cause Synapse to starve other requests of CPU and lead to other requests failing, causing other users to be denied service.
Homeservers that trust all their local users are not at risk.
Patches
Update to Synapse 1.152.1 or later.
Workarounds
If Synapse is deployed behind a reverse proxy, the reverse proxy could be configured to limit the rate of user requests,
preventing or increasing the difficulty of the attack.
Identifiers
For more information
If you have any questions or comments about this advisory, please email us at security at element.io.