CVE-2025-30355

Description

### Impact A malicious server can craft events with a `depth` outside the integer range allowed by Canonical JSON. When such an event is received by Synapse version up to 1.127.0, it prevents it from federating with other servers. The vulnerability has been exploited in the wild. ### Patches Fixed in Synapse v1.127.1. ### Workarounds Closed federation environments of trusted servers or non-federating installations are not affected. ### For more information If you have any questions or comments about this advisory, please email us at [security at element.io](mailto:[email protected]).

How to fix CVE-2025-30355

To remediate CVE-2025-30355, upgrade the affected package to a fixed version below.

• —upgrade to 1.121.0-6 or later
• —upgrade to 1.127.1 or later

Is CVE-2025-30355 being exploited?

Moderate — EPSS is 13.2%. Track this CVE but it's not at the top of the prioritisation list.

Affected packages (2)

• from 0, < 1.121.0-6
• from 0, < 1.127.1

CVSS scores

References (6)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-30355
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2025-30355
• PATCHgithub.com/element-hq/synapse
• WEBgithub.com/element-hq/synapse/commit/2277df2a1eb685f85040ef98fa21d41aa4cdd389