Prosody security advisory 2020-01-28


Prosody XMPP server
Affected versions
prosody-modules hg:e16593e7d482
Fixed versions
prosody-modules hg:f2b29183ef08


mod_auth_ldap and mod_auth_ldap2 from the Prosody community modules repository (prosody-modules) incompletely verify the XMPP address passed to the is_admin() function. This grants remote entities to admin-only functionality if their username matches the username of a local admin.


mod_auth_ldap and mod_auth_ldap2 have the optional ability to grant admin access based on an LDAP filter string.

Both modules only use the ‘user’ part of the JID they are checking, which means a user of a remote server who has the same username may be inadvertently granted admin access to the server.

Affected configurations

Prosody deployments that use mod_auth_ldap or mod_auth_ldap2 (e.g. through the configuration option authentication = "ldap") combined with any of the following options:

If you do not use either of these LDAP modules you are not affected. If you use the LDAP modules but do not use any of the options listed here, you are also not affected (but upgrading is still recommended).


Update to the latest prosody-modules or remove the admin options listed above from your configuration file. There is no need to upgrade Prosody itself.

If you have prosody-modules downloaded through Mercurial (hg) you can run:

hg pull
hg update default
hg log -r f2b29183ef08

If all these commands succeed, you are up to date. Restart Prosody after updating prosody-modules.

Users of the prosody-modules Debian package can expect an update from Debian soon.


Discovered by the Prosody team during review.