Prosody security advisory 2018-05-31


Prosody XMPP server
Affected versions
0.9.x prior to 0.9.14, 0.10.x prior to 0.10.2. All prior series affected.
Fixed versions
0.9.14, 0.10.2


Due to insufficient validation of client-provided parameters during XMPP stream restarts, authenticated users may override the realm associated with their session, potentially bypassing security policies and allowing impersonation.


Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts.

In practice this means that a user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance.

Note that successful authentication to host A is required to initiate the attack. This includes SASL ANONYMOUS.

Overriding the authenticated username is not possible via this exploit, and this limits impersonation to usernames on host B that the attacker also has access to on host A. In the case of ANONYMOUS authentication, the username is random and enforced by the server.

If a user has the account user1@hosta.example, they may impersonate user1@hostb.example, with security policies of host B applied.

Affected configurations

Prosody deployments configured with multiple virtual hosts are vulnerable.

Standard TCP connections and websocket connections are affected, but BOSH connections are not affected - i.e. deployments where the only access to Prosody is via BOSH are not vulnerable.

Temporary mitigation

Patch available.


All users should upgrade to at least 0.9.14, 0.10.2 or check their OS distribution for security updates. Users of development branches (0.10, trunk) should upgrade to the latest nightly builds.


Reported by Princess Pepperoni from