Impact
Missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion.
Patches
The issue is fixed by #9321.
Workarounds
Depending on the needs and configuration of the homeserver a few options are available:
-
Using email as third-party identifiers be disabled by not configuring the email setting.
-
Using phone numbers as third-party identifiers can be disabled by ensuring that account_threepid_delegates.msisdn is not configured.
-
Additionally, the affected endpoint patterns can be blocked at a reverse proxy:
^/_matrix/client/(r0|unstable)/register/email^/_matrix/client/(r0|unstable)/register/msisdn^/_matrix/client/(r0|unstable)/account/password^/_matrix/client/(r0|unstable)/account/3pid
Impact
Missing input validation of some parameters on the endpoints used to confirm third-party identifiers could cause excessive use of disk space and memory leading to resource exhaustion.
Patches
The issue is fixed by #9321.
Workarounds
Depending on the needs and configuration of the homeserver a few options are available:
Using email as third-party identifiers be disabled by not configuring the
emailsetting.Using phone numbers as third-party identifiers can be disabled by ensuring that
account_threepid_delegates.msisdnis not configured.Additionally, the affected endpoint patterns can be blocked at a reverse proxy:
^/_matrix/client/(r0|unstable)/register/email^/_matrix/client/(r0|unstable)/register/msisdn^/_matrix/client/(r0|unstable)/account/password^/_matrix/client/(r0|unstable)/account/3pid