Synapse 1.139.1 (2025-10-07)

Security Fixes

• Fix CVE-2025-61672 / GHSA-fh66-fcv5-jjfr. Lack of validation for device keys in Synapse before 1.139.1 allows an attacker registered on the victim homeserver to degrade federation functionality, unpredictably breaking outbound federation to other homeservers. (#17097)

Deprecations and Removals

• Drop support for unstable field names from the long-accepted MSC2732 (Olm fallback keys) proposal. This change allows unit tests to pass following the security patch above. (#18996)