CVE-2023-32323: 
Python vulnerability analysis and mitigation

Synapse is an open-source Matrix homeserver written and maintained by the Matrix.org Foundation. A vulnerability was discovered where a malicious user on a Synapse homeserver X with permission to create certain state events could disable outbound federation from X to an arbitrary homeserver Y. The vulnerability affects versions up to and including 1.73, while instances with federation disabled are not affected. The issue was disclosed in May 2023 and assigned identifier CVE-2023-32323 (Matrix Advisory).

The vulnerability stems from Synapse not limiting the size of invite_room_state fields in room invites. This allowed the creation of arbitrarily large invite events. When such an oversized invite event was acknowledged by an invitee's homeserver, it would be sent in a batch of events that could be rejected as too large, effectively causing X's outgoing traffic to Y to become 'stuck'. The vulnerability has been assigned a CVSS v3.1 base score of 5.0 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:L) and is classified as CWE-20 (Improper Input Validation) (NVD).

When exploited, this vulnerability could cause messages and state events created by the affected homeserver X to remain unseen by the target homeserver Y, effectively disrupting federation between the two servers. The impact is particularly significant as it affects the core functionality of Matrix's federated architecture (Matrix Advisory).

The vulnerability was patched in Synapse version 1.74, which refuses to create oversized invite_room_state fields. Server operators are urged to upgrade to Synapse 1.74 or newer. As a partial mitigation, Synapse operators can disable open registration to limit attackers' ability to create new accounts. If a server has been attacked, restarting it will resume outgoing federation through 'catchup mode', though this is not a permanent solution as the attack can be repeated (Matrix Advisory).