CVE-2025-61672: 
Python vulnerability analysis and mitigation

CVE-2025-61672 affects Synapse, an open source Matrix homeserver implementation. The vulnerability was discovered and disclosed in October 2025, involving lack of validation for device keys in versions before 1.138.3 and in version 1.139.0. The vulnerability allows attackers registered on a victim homeserver to degrade federation functionality (GitHub Advisory).

The vulnerability stems from insufficient validation of device keys in the /keys/upload endpoint. The issue is related to improper validation of specified type of input (CWE-1287). The vulnerability has been assigned a CVSS v4.0 Base Score of 5.3 (Medium) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N (NVD).

When exploited, the vulnerability can cause unpredictable breaking of outbound federation to other homeservers, degrading the federation functionality of the affected Synapse instance. The impact is limited to users who are already registered on the victim homeserver (GitHub Advisory).

The vulnerability has been patched in Synapse versions 1.138.3, 1.138.4, 1.139.1, and 1.139.2. However, versions 1.138.3 and 1.139.1 introduced an unrelated regression, so users are recommended to upgrade directly to 1.138.4 or 1.139.2. As a workaround, administrators can limit user registration on their homeserver to reduce the attack surface (GitHub Advisory).