CVE-2024-37303: 
Python vulnerability analysis and mitigation

Synapse before version 1.106 contains a vulnerability that allows unauthenticated remote participants to trigger downloads and caching of remote media from a remote homeserver to the local media repository. This vulnerability (CVE-2024-37303) was disclosed on December 3, 2024, affecting the Matrix homeserver implementation Synapse (GitHub Advisory).

The vulnerability stems from a design issue where unauthenticated remote participants can trigger media downloads that become cached in the local media repository. Once cached, this content becomes available for download from the local homeserver without authentication requirements. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, indicating network accessibility, low attack complexity, and no required privileges or user interaction (GitHub Advisory).

The primary impact of this vulnerability is that unauthenticated remote adversaries can exploit this functionality to plant problematic content into the media repository of a Synapse server. This creates potential risks for content distribution and storage abuse (GitHub Advisory).

Synapse version 1.106 introduces a partial mitigation by implementing new endpoints that require authentication for media downloads. The unauthenticated endpoints will be frozen in a future release to completely close the attack vector. As a temporary workaround, server operators can implement more strict rate limits based on IP address (GitHub Advisory).