diff --git a/changelog.d/12829.bugfix b/changelog.d/12829.bugfix
new file mode 100644
index 000000000..dfa1fed34
--- /dev/null
+++ b/changelog.d/12829.bugfix
@@ -0,0 +1 @@
+Fix a bug where we did not correctly handle invalid device list updates over federation. Contributed by Carl Bordum Hansen.
diff --git a/synapse/handlers/device.py b/synapse/handlers/device.py
index 1d6d1f8a9..e59937fd7 100644
--- a/synapse/handlers/device.py
+++ b/synapse/handlers/device.py
@@ -763,6 +763,10 @@ class DeviceListUpdater:
         device_id = edu_content.pop("device_id")
         stream_id = str(edu_content.pop("stream_id"))  # They may come as ints
         prev_ids = edu_content.pop("prev_id", [])
+        if not isinstance(prev_ids, list):
+            raise SynapseError(
+                400, "Device list update had an invalid 'prev_ids' field"
+            )
         prev_ids = [str(p) for p in prev_ids]  # They may come as ints
 
         if get_domain_from_id(user_id) != origin: