An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLXc5ZmcteGZmaC1wMzYy

Denial of service (via resource exhaustion) due to improper input validation on third-party identifier endpoints


Missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion.


The issue is fixed by #9321.


Depending on the needs and configuration of the homeserver a few options are available:

  1. Using email as third-party identifiers be disabled by not configuring the email setting.

  2. Using phone numbers as third-party identifiers can be disabled by ensuring that account_threepid_delegates.msisdn is not configured.

  3. Additionally, the affected endpoint patterns can be blocked at a reverse proxy:

    • ^/_matrix/client/(r0|unstable)/register/email
    • ^/_matrix/client/(r0|unstable)/register/msisdn
    • ^/_matrix/client/(r0|unstable)/account/password
    • ^/_matrix/client/(r0|unstable)/account/3pid
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 8 months ago

CVSS Score: 5.3
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-w9fg-xffh-p362, CVE-2021-21394

Affected Packages

Versions: < 1.28.0
Fixed in: 1.28.0