CVE-2024-52791: 
Linux openSUSE vulnerability analysis and mitigation

Matrix Media Repo (MMR), a highly configurable multi-homeserver media repository for Matrix, was found to contain a vulnerability tracked as CVE-2024-52791. The vulnerability was disclosed on January 16, 2025, and affects versions prior to 1.3.8. The issue involves MMR's handling of JSON responses from other servers during normal operations (GitHub Advisory).

The vulnerability stems from MMR's JSON parsing mechanism when handling responses from other servers. During normal operation, MMR makes requests to external servers which can return large amounts of JSON data. When parsing these responses, MMR can consume excessive amounts of memory, potentially leading to memory exhaustion. The vulnerability has been assigned a CVSS v3.1 base score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, indicating it is network-accessible, requires low attack complexity, and primarily affects system availability (GitHub Advisory).

The primary impact of this vulnerability is the potential for denial of service through memory exhaustion. When exploited, the vulnerability can cause MMR processes to consume excessive memory resources, potentially leading to system instability or service interruption (GitHub Advisory).

The vulnerability has been fixed in MMR version 1.3.8. For users unable to upgrade immediately, several workarounds are available: 1) Configure forward proxies to block requests to unsafe hosts, 2) Set memory limits and auto-restart configurations for MMR processes, 3) Run multiple MMR processes concurrently to ensure service continuity during restarts (GitHub Release, GitHub Advisory).