[<prev] [day] [month] [year] [list]
Message-ID: <CAJt9-x4hqhaH7NrFUmk0ULE7xHtNMMbE4M+miu=pQ8PNuLQ-=w@mail.gmail.com>
Date: Fri, 1 May 2026 13:38:16 +0100
From: Matthew Wild <mwild1@...il.com>
To: oss-security@...ts.openwall.com
Subject: Prosody XMPP server security advisory 2026-04-31 (multiple vulnerabilities)
Project
: Prosody XMPP server
URL
: https://prosody.im/
Date
: 2026-04-29
This advisory details two security vulnerabilities discovered in the
Prosody.im XMPP server software. Fixes are available in Prosody 13.0.5.
Deployments still using the Prosody 0.12 series can upgrade to 0.12.6.
In this advisory:
- Denial of Service via Memory Exhaustion
- Unauthenticated Use of SOCKS5 Proxy (mod_proxy65)
Full details of the vulnerabilities are below.
The recommended advice is for all Prosody users to:
- Upgrade to 13.0.5
- For extra protection, review system firewall limits (see below)
This advisory can be found online at:
- https://prosody.im/security/advisory_735dd9d3/ (HTML)
- https://prosody.im/security/advisory_735dd9d3.txt (text)
Denial of Service via Memory Exhaustion
-------------------------------------------------------
CVEs
: We have requested 2 CVEs
CVSS
: 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
CWEs
: CWE-405, CWE-770, CWE-772
Affected versions
: All versions prior to 13.0.5
Fixed versions
: 0.12.6, 13.0.5
**References**
- https://blog.unionium.org/ARTICLES/1.HTM (third-party, see below)
*Note:* We have provided the original reporter's blog post as a reference,
as it contains the original report and proof-of-concept exploit code.
However, the Prosody developers do not recommend the analysis and
mitigations provided in that post to Prosody operators.
**Description**
Traffic patterns were discovered which can cause Prosody to consume
excessive amounts of memory with much smaller amounts of incoming
traffic. This traffic can be sent by unauthenticated connections.
Prosody has per-connection rate limits. However, the protection provided
by rate limits was reduced due to amplification of memory usage compared
to the data transmitted by the attacker.
Further, Prosody does not enforce limits on the total number of
connections, allowing an attacker to increase the impact by using
multiple concurrent connections.
Finally, the attack revealed per-connection resource leaks, where a
connection could continue to consume resources in Prosody even after
the stream is finished.
**Affected configurations**
All Prosody versions prior to 13.0.5 are believed to be affected.
Further, the issues described in this advisory are closely related
to libexpat CVE-2025-59375. Fully protecting Prosody deployments
requires that LuaExpat (a required dependency of Prosody) is linked
against libexpat 2.7.2 or later (the version of expat in use can be
discovered in the output of 'prosodyctl about').
**Mitigation**
Operators of Prosody servers are encouraged to utilize their system's
firewall to limit the rate and total number of connections to their
service.
For example, 'ufw' is a widely available firewall tool which can limit
excessive incoming connection requests. To apply this limiting to the
standard XMPP ports, you would run:
```
ufw limit 5222
ufw limit 5269
```
iptables and nftables also have 'connlimit' features to limit the
total number of connections per IP address. Refer to the
documentation of your firewall for correct configuration.
It is **not** recommended to drastically lower Prosody's per-connection
bandwidth rate limits as described in the blog post by the original
reporter. Lowering rate limits slows down processing of an attacker's
connections, causing them to remain active for longer. This can
negatively impact Prosody's resource usage. Prosody's default rate
limits are generally considered sufficient.
**Fixes**
The attack revealed a number of areas where the resource usage of connections
could exceed expected and desired levels. Multiple fixes were applied.
Resource amplification (first CVE):
- Lower stanza size limits have been introduced for unauthenticated
streams.\
Commits: [8a4417d32b0f](https://hg.prosody.im/trunk/rev/8a4417d32b0f),
[166ac7d65cb6](https://hg.prosody.im/trunk/rev/166ac7d65cb6),
[a4327478678f](https://hg.prosody.im/trunk/rev/a4327478678f)
- Limits have been placed on the complexity of XML stanzas, to
disallow stanzas that will consume significantly larger amounts
of memory than their serialized form.\
Commits: [6c7549964d4d](https://hg.prosody.im/trunk/rev/6c7549964d4d),
[1e005ba71f0d](https://hg.prosody.im/trunk/rev/1e005ba71f0d)
Memory leaks (second CVE):
- Four memory leaks have been fixed, two could be triggered by
unauthenticated connections, and two by authenticated users.\
Commits:
[836a70deb3c9](https://hg.prosody.im/trunk/rev/836a70deb3c9)
(unauthenticated),
[e27d94d8f505](https://hg.prosody.im/trunk/rev/e27d94d8f505)
(unauthenticated),
[041c7ff18f76](https://hg.prosody.im/trunk/rev/041c7ff18f76) (authenticated),
[374b72785488](https://hg.prosody.im/trunk/rev/374b72785488) (authenticated)
Other:
- Code to configure per-IP connection limits has been introduced,
however this is currently in an experimental status, and it is
preferable to utilize a system firewall to enforce such limits
if possible. Refer to the documentation for your system firewall.
**Attribution**
The resource amplification attack was discovered and disclosed to the
Prosody team by Ley <unionium.org> in advance of their public blog post.
The memory leaks were discovered by the Prosody team during their
research into this issue.
Unauthenticated Use of SOCKS5 Proxy (mod_proxy65)
-------------------------------------------------------
CVEs
: We have requested 1 CVE
CVSS
: 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CWEs
: CWE-863
Affected versions
: All versions prior to 0.12.6 and 13.0.5
Fixed versions
: 0.12.6, 13.0.5
**Description**
It was discovered that mod_proxy65's access control was broken and incomplete
due to two bugs.
Firstly, due to changes in our default network backend, a connection that
mod_proxy65 believed to be "paused" would actually be able to send data
through the proxy before authorization.
Secondly, mod_proxy65 only checked the access control rules during the
discoverability stage of the protocol, but not during the activation stage.
Any entity able to guess the domain and port of the proxy (which defaults to
port 5000) could skip the discoverability stage and would be able to use it.
**Limitations**
mod_proxy65 is designed to facilitate file transfers and other binary streams
between two XMPP entities. It is not a generic SOCKS5 proxy, and this limits
the scope of potential abuse.
For example, mod_proxy65 does not make outbound connections, and therefore
cannot be abused for forward proxying of an attacker's connections to
arbitrary endpoints. It requires both peers to make a connection to the proxy
and perform a SOCKS5 handshake.
**Affected configurations**
All deployments with mod_proxy65 enabled are affected. mod_proxy65 is not
enabled in the default configuration.
**Mitigation**
mod_proxy65 can be disabled, however this may have a negative impact on some
kinds of file transfers.
**Fixes**
Fixes were made in two commits:
- [f34ad235cf3b](https://hg.prosody.im/trunk/rev/f34ad235cf3b)
- [4bbb17445ed9](https://hg.prosody.im/trunk/rev/4bbb17445ed9)
**Attribution**
The issue with unpausing connections was discovered and disclosed by Max
Hearnden <https://github.com/MaxHearnden/>.
The missing authorization was discovered during review of the code by
a Prosody team
member.
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
