GHSA-3h7q-rfh9-xm4v · Severity: medium · Ecosystem: pip — Synapse V2 state resolution weakness allows Denial of Service (DoS)
Synapse is an open-source Matrix homeserver. A remote Matrix user with malicious intent, sharing a room with Synapse instances before 1.105.1, can dispatch specially crafted events to exploit a weakness in the V2 state resolution algorithm. This can induce high CPU consumption and accumulate excessive data in the database of such instances, resulting in a denial of service. Servers in private federations, or those that do not federate, are not affected. Server administrators should upgrade to 1.105.1 or later. Some workarounds are available. One can ban the malicious users or ACL block servers from the rooms and/or leave the room and purge the room using the admin API.
Conclusion & alert: CVE-2024-31208 is rated Moderate Risk (58.2/100): CVSS Medium severity, with medium exploitation likelihood (EPSS 4.19%). Core evidence: EPSS rose +1.10% over the last day, indicating growing attacker interest. Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-01 | 3.09% | 4.19% | +1.10% |
| 2 | 2026-05-12 | 2.30% | 3.09% | +0.79% |
| 3 | 2026-03-04 | — | 2.30% | — |
Full EPSS history (42 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 6.5 | 3.1 | MEDIUM |
|
2.8 | 3.6 | [email protected] |
GHSA-3h7q-rfh9-xm4v · Severity: medium · Ecosystem: pip — Synapse V2 state resolution weakness allows Denial of Service (DoS)
| vendor | priority | summary | link |
|---|---|---|---|
alpine
|
— | CVE-2024-31208: 1 source package rows (synapse); 34 state rows across 4 repos (3.20-community, 3.21-community, 3.22-community, edge-community); fixed 4, open 30. | https://security.alpinelinux.org/vuln/CVE-2024-31208 |
debian
|
not yet assigned | CVE-2024-31208 not yet assigned priority: Debian including 1 source packages (matrix-synapse), 2 status rows across 2 suites (forky, sid): resolved 2. | https://security-tracker.debian.org/tracker/CVE-2024-31208 |
ubuntu
|
medium | CVE-2024-31208 medium priority: Ubuntu including 2 source packages (matrix-synapse, synapse), 17 status rows across 10 suites (bionic, focal, jammy, mantic, noble, oracular, plucky, questing, upstream, xenial): ignored 8, needs-triage 7, released 2. | https://ubuntu.com/security/CVE-2024-31208 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| matrix | synapse | < 1.105.1 | cpe:2.3:a:matrix:synapse:*:*:*:*:*:*:*:* |
| fedoraproject | fedora | 38 | cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:* |
| fedoraproject | fedora | 39 | cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:* |
| fedoraproject | fedora | 40 | cpe:2.3:o:fedoraproject:fedora:40:*:*:*:*:*:*:* |
| URL | Tags |
|---|---|
| https://github.com/element-hq/synapse/commit/55b0aa847a61774b6a3acdc4b177a20dc019f01a | Patch |
| https://github.com/element-hq/synapse/releases/tag/v1.105.1 | Release Notes |
| https://github.com/element-hq/synapse/security/advisories/GHSA-3h7q-rfh9-xm4v | Vendor Advisory |
| https://lists.fedoraproject.org/archives/list/[email protected]/message/R6FCCO4ODTZ3FDS7TMW76PKOSEL2TQVB/ | Mailing List Third Party Advisory |
| https://lists.fedoraproject.org/archives/list/[email protected]/message/RR53FNHV446CB37TP45GZ6F6HZLZCK3K/ | Mailing List Third Party Advisory |
| https://lists.fedoraproject.org/archives/list/[email protected]/message/VSF4NJJSTSQRJQ47PLYYSCFYKJBP7DET/ | Mailing List Third Party Advisory |