CVE-2021-29430: 
Python vulnerability analysis and mitigation

Sydent, a reference Matrix identity server, was found to be vulnerable to a denial of service attack (CVE-2021-29430). The vulnerability was discovered and disclosed on April 15, 2021. The issue affected versions 2.2.0 and earlier of the matrix-sydent package, with version 2.3.0 containing the fix (Matrix Advisory).

The vulnerability stems from Sydent not implementing size limits on HTTP request bodies received from clients. Additionally, there were no limits on response sizes for requests made to remote Matrix homeservers. This lack of bounds checking could allow attackers to send requests with very large payloads or receive oversized responses (Matrix Advisory).

A malicious user could exploit this vulnerability by sending HTTP requests with extremely large bodies, leading to disk space exhaustion and denial of service. Similarly, a malicious homeserver could return very large responses causing memory exhaustion and service disruption. This particularly affects servers that accept registration requests from untrusted clients (Matrix Advisory).

The issue was patched in version 2.3.0 of Sydent. For unpatched systems, request sizes can be limited using an HTTP reverse-proxy as a temporary workaround. However, there were no known workarounds for the problem with overlarge responses. Server administrators were advised to update to version 2.3.0 as soon as possible (Matrix Release, Matrix Advisory).