CVE-2022-31052: 
Python vulnerability analysis and mitigation

Synapse is an open source home server implementation for the Matrix chat network. In versions prior to 1.61.1, URL previews of some web pages could exhaust the available stack space for the Synapse process due to unbounded recursion, potentially leading to process crashes. The vulnerability was discovered and disclosed on June 28, 2022, affecting deployments with urlpreviewenabled set to true in configuration (Matrix Advisory).

The vulnerability exists in the URL preview functionality where unbounded recursion could occur when processing certain web pages. This could lead to stack space exhaustion and process crashes. The issue affects Synapse media repositories or Synapse monoliths that have URL preview functionality enabled. The vulnerability is rated as High severity and was assigned CVE-2022-31052 (Matrix Advisory).

When exploited, this vulnerability could cause the Synapse process to crash, leading to denial of service. In some cases, the crash is recoverable and results in an error for the specific request, but in other scenarios, the entire Synapse process may crash. The vulnerability could be exploited either by malicious users on the homeserver or by remote users sending URLs that a local user's client may automatically request a preview for (Matrix Advisory).

Administrators can mitigate this vulnerability by either upgrading to Synapse v1.61.1 or higher, or by disabling URL previews in the configuration file by setting urlpreviewenabled: false. For deployments using workers, URL previews can be offloaded to dedicated worker(s) to ensure that a process crash does not disrupt other functionality of Synapse (Matrix Advisory, Fedora Update).