This is a joint post by Nomadic Labs, Trilitech and Papers AG.
On February 26th, we received a responsible disclosure notification from ECAD Labs, reporting vulnerabilities (including one rated critical upstream) on the Synapse Matrix relay servers used by Octez.connect and Beacon.
While these vulnerabilities could not lead to Tezos users accounts being compromised—user funds were always safe—, they could be exploited to temporarily disrupt the ecosystem’s relay infrastructure, affecting wallet connectivity and session routing. An exploit could have prevented end-users from submitting transactions from their wallets and interacting with dApps.
Upon receiving the disclosure, Octez.connect and Beacon teams swiftly formed a joint task force to address the reported vulnerabilities. The fix involved upgrading all Synapse servers to their latest, safe versions.
This was completed via a scheduled maintenance window (announced on status.tezos.com) with minimal user disruption: nodes were upgraded sequentially to maintain continuity of service. A small number of users reported connection issues during this window, which were easily resolved by reconnecting.
The service has now been fully restored.
We thank ECAD Labs for reaching out to us to disclose their findings and offer their support.
Summary of CVEs
The complete list of Synapse vulnerabilities reported by ECAD is:
- CVE-2025-30355: Synapse vulnerable to federation denial of service via malformed events. Actively exploited in the wild (critical).
- CVE-2024-53863: Synapse can be forced to thumbnail unexpected file formats, invoking external, potentially untrustworthy decoders.
- CVE-2024-52815: Synapse allows a malformed invite to break the invitee’s
/sync. - CVE-2024-52805: Synapse allows unsupported content types to lead to memory exhaustion.
- CVE-2025-61672: Synapse: Invalid device keys degrade federation functionality.
Looking Ahead
Now that Beacon and Octez.connect are fully and safely back online, we are making two improvements going forward:
As Octez.connect matures, we will integrate it more deeply into our existing monitoring pipelines and infrastructure.
We will also ensure future maintenance operations are communicated widely to developers and users beyond status.tezos.com, including their potential implications.
We look forward to continuing to build a secure and resilient ecosystem together.
