CVE-2024-53863

Description

### Impact In Synapse versions before 1.120.1, enabling the `dynamic_thumbnails` option or processing a specially crafted request could trigger the decoding and thumbnail generation of uncommon image formats, potentially invoking external tools like Ghostscript for processing. This significantly expands the attack surface in a historically vulnerable area, presenting a risk that far outweighs the benefit, particularly since these formats are rarely used on the open web or within the Matrix ecosystem. For a list of image formats, as well as decoding libraries and helper programs used, see [the Pillow documentation](https://pillow.readthedocs.io/en/stable/handbook/image-file-formats.html). ### Patches Synapse 1.120.1 addresses the issue by restricting thumbnail generation to images in the following widely used formats: PNG, JPEG, GIF, and WebP. ### Workarounds - Ensure any image codecs and helper programs, such as Ghostscript, are patched against security vulnerabilities. - Uninstall unused image decoder libraries and helper programs, such as Ghostscript, from the system environment that Synapse is running in. - Depending on the installation method, there may be some decoder libraries bundled with Pillow and these cannot be easily uninstalled. - The official Docker container image does not include Ghostscript. ### References - [The Pillow documentation](https://pillow.readthedocs.io/en/stable/handbook/image-file-formats.html) includes a list of supported image formats and which libraries or helper programs are used to decode them. ### For more information If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:[email protected]).

How to fix CVE-2024-53863

To remediate CVE-2024-53863, upgrade the affected package to a fixed version below.

• —upgrade to 1.121.0-1 or later
• —upgrade to 1.120.1 or later

Is CVE-2024-53863 being exploited?

Low — EPSS is 1.0%, meaning exploitation activity has not been observed at scale.