Today we're exceptionally releasing Synapse 1.61.1, which comes as a security release. Server administrators are encouraged to update as soon as possible.
This release fixes a vulnerability with Synapse's URL preview feature. URL previews of some web pages can lead to unbounded recursion, causing the request to either fail, or in some cases crash the running Synapse process.
Homeservers with the
url_preview_enabled configuration option set to
(the default value) are unaffected. Instances with the
configuration option set to
false are also unaffected, as this also disables
the URL preview functionality.
Server administrators who are unable to update Synapse should disable URL
previews by setting
url_preview_enabled: false in their configuration file.
They can also delegate URL preview to a separate, dedicated worker to ensure the
process crashing does not impact other functionality of Synapse.
Please see this security advisory for more information.