CVE-2021-21274

CVE-2021-21274 is a medium-severity vulnerability in Matrix Synapse with a CVSS 3.x base score of 4.3. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-770.

Key facts

Description

Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to a denial of service attack where homeservers will consume significantly more resources when requesting the .well-known file of a malicious homeserver. This affects any server which accepts federation requests from untrusted servers. Issue is resolved in version 1.25.0. As a workaround the `federation_domain_whitelist` setting can be used to restrict the homeservers communicated with over federation.

Frequently asked questions

What is CVE-2021-21274?
Synapse is a Matrix reference homeserver written in python (pypi package matrix-synapse). Matrix is an ecosystem for open federated Instant Messaging and VoIP. In Synapse before version 1.25.0, a malicious homeserver could redirect requests to their .well-known file to a large file. This can lead to a denial of service attack where homeservers will consume significantly more resources when requesting the .well-known file of a malicious homeserver. This affects any server which accepts federation requests from untrusted servers. Issue is resolved in version 1.25.0. As a workaround the `federation_domain_whitelist` setting can be used to restrict the homeservers communicated with over federation.
How severe is CVE-2021-21274?
CVE-2021-21274 has a CVSS 3.x base score of 4.3, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is none, integrity none, and availability low.
Is CVE-2021-21274 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 2% (80th percentile), an estimate of the probability of exploitation in the next 30 days.
What products are affected by CVE-2021-21274?
CVE-2021-21274 primarily affects Matrix Synapse. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
How do I fix CVE-2021-21274?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
When was CVE-2021-21274 published?
CVE-2021-21274 was published on 2021-02-26 and last updated on 2026-06-17.

References

Affected products (2)

More vulnerabilities in Matrix Synapse

All CVEs affecting Matrix Synapse →

Other CWE-770 (Allocation of Resources Without Limits or Throttling) vulnerabilities

Browse all CWE-770 (Allocation of Resources Without Limits or Throttling) vulnerabilities →