CVE-2024-36403: 
Linux openSUSE vulnerability analysis and mitigation

A vulnerability in Matrix Media Repository (MMR) versions prior to 1.3.5 allows unauthenticated adversaries to perform unbounded disk consumption through remote media file downloads. The vulnerability was discovered and disclosed on January 16, 2025, affecting instances using file-backed storage or self-hosted S3 storage systems (GitHub Advisory).

The vulnerability (CVE-2024-36403) has a CVSS v3.1 base score of 5.3 (Moderate), with attack vector being Network, attack complexity Low, requiring no privileges or user interaction, and affecting availability. The vulnerability is characterized by CWE-770, allowing unauthenticated users to induce the system to download and cache large amounts of remote media files without proper limitations (GitHub Advisory).

The vulnerability can lead to two primary impacts depending on the storage configuration: For instances using file-backed storage or self-hosted S3 systems, it can result in disk fill attacks leading to denial of service, preventing authenticated users from uploading new media. For instances using cloud-based S3 storage options, it can result in significant financial impact through high service fees (GitHub Advisory).

The vulnerability is patched in version 1.3.5, which introduces a default-on 'leaky bucket' rate limit to reduce the amount of data a user can request at a time. For proper implementation, operators must ensure their reverse proxy populates the X-Forwarded-For header when sending requests to MMR. Additional workarounds include lowering the maximum allowed file size and implementing strict rate limits, though this may not completely prevent large data downloads (GitHub Advisory).