CVE-2021-29430

HIGH7.5EPSS 1.4%

Sydent vulnerable to denial of service attack via memory exhaustion

Published: 4/19/2021Modified: 3/13/2026

Description

### Impact Sydent does not limit the size of requests it receives from HTTP clients. A malicious user could send an HTTP request with a very large body, leading to disk space exhaustion and denial of service. Sydent also does not limit response size for requests it makes to remote Matrix homeservers. A malicious homeserver could return a very large response, again leading to memory exhaustion and denial of service. This affects any server which accepts registration requests from untrusted clients. ### Patches Patched by 89071a1, 0523511, f56eee3. ### Workarounds Request sizes can be limited in an HTTP reverse-proxy. There are no known workarounds for the problem with overlarge responses. ### For more information If you have any questions or comments about this advisory, email us at [email protected].

Affected packages (2)

  • PyPI/matrix-sydentfrom 0, < 2.3.0
  • PyPI/matrix-sydentfrom 0, < 0523511d2fb40f2738f8a8549868f44b96e5dab7, < 89071a1a754c69a50deac89e6bb74002d4cda19d, < f56eee315b6c44fdd9f6aa785cc2ec744a594428 | from 0, < 2.3.0

CVSS scores

SourceVersionSeverityVector
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
osvCVSS 3.1HIGH7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (10)