Prosody XMPP server advisory 2026-04-29 (Multiple Vulnerabilities) Project : Prosody XMPP server URL : https://prosody.im/ Date : 2026-04-29 This advisory details two security vulnerabilities discovered in the Prosody.im XMPP server software. Fixes are available in Prosody 13.0.5. Deployments still using the Prosody 0.12 series can upgrade to 0.12.6. In this advisory: - Denial of Service via Memory Exhaustion - Unauthenticated Use of SOCKS5 Proxy (mod_proxy65) Full details of the vulnerabilities are below. The recommended advice is for all Prosody users to: - Upgrade to 13.0.5 - For extra protection, review system firewall limits (see below) This advisory can be found online at: - https://prosody.im/security/advisory_735dd9d3/ (HTML) - https://prosody.im/security/advisory_735dd9d3.txt (text) Denial of Service via Memory Exhaustion ------------------------------------------------------- CVEs : We have requested 2 CVEs CVSS : 7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) CWEs : CWE-405, CWE-770, CWE-772 Affected versions : All versions prior to 13.0.5 Fixed versions : 0.12.6, 13.0.5 **References** - https://blog.unionium.org/ARTICLES/1.HTM (third-party, see below) *Note:* We have provided the original reporter's blog post as a reference, as it contains the original report and proof-of-concept exploit code. However, the Prosody developers do not recommend the analysis and mitigations provided in that post to Prosody operators. **Description** Traffic patterns were discovered which can cause Prosody to consume excessive amounts of memory with much smaller amounts of incoming traffic. This traffic can be sent by unauthenticated connections. Prosody has per-connection rate limits. However, the protection provided by rate limits was reduced due to amplification of memory usage compared to the data transmitted by the attacker. Further, Prosody does not enforce limits on the total number of connections, allowing an attacker to increase the impact by using multiple concurrent connections. Finally, the attack revealed per-connection resource leaks, where a connection could continue to consume resources in Prosody even after the stream is finished. **Affected configurations** All Prosody versions prior to 13.0.5 are believed to be affected. Further, the issues described in this advisory are closely related to libexpat CVE-2025-59375. Fully protecting Prosody deployments requires that LuaExpat (a required dependency of Prosody) is linked against libexpat 2.7.2 or later (the version of expat in use can be discovered in the output of 'prosodyctl about'). **Mitigation** Operators of Prosody servers are encouraged to utilize their system's firewall to limit the rate and total number of connections to their service. For example, 'ufw' is a widely available firewall tool which can limit excessive incoming connection requests. To apply this limiting to the standard XMPP ports, you would run: ``` ufw limit 5222 ufw limit 5269 ``` iptables and nftables also have 'connlimit' features to limit the total number of connections per IP address. Refer to the documentation of your firewall for correct configuration. It is **not** recommended to drastically lower Prosody's per-connection bandwidth rate limits as described in the blog post by the original reporter. Lowering rate limits slows down processing of an attacker's connections, causing them to remain active for longer. This can negatively impact Prosody's resource usage. Prosody's default rate limits are generally considered sufficient. **Fixes** The attack revealed a number of areas where the resource usage of connections could exceed expected and desired levels. Multiple fixes were applied. Resource amplification (first CVE): - Lower stanza size limits have been introduced for unauthenticated streams.\ Commits: [8a4417d32b0f](https://hg.prosody.im/trunk/rev/8a4417d32b0f), [166ac7d65cb6](https://hg.prosody.im/trunk/rev/166ac7d65cb6), [a4327478678f](https://hg.prosody.im/trunk/rev/a4327478678f) - Limits have been placed on the complexity of XML stanzas, to disallow stanzas that will consume significantly larger amounts of memory than their serialized form.\ Commits: [6c7549964d4d](https://hg.prosody.im/trunk/rev/6c7549964d4d), [1e005ba71f0d](https://hg.prosody.im/trunk/rev/1e005ba71f0d) Memory leaks (second CVE): - Four memory leaks have been fixed, two could be triggered by unauthenticated connections, and two by authenticated users.\ Commits: [836a70deb3c9](https://hg.prosody.im/trunk/rev/836a70deb3c9) (unauthenticated), [e27d94d8f505](https://hg.prosody.im/trunk/rev/e27d94d8f505) (unauthenticated), [041c7ff18f76](https://hg.prosody.im/trunk/rev/041c7ff18f76) (authenticated), [374b72785488](https://hg.prosody.im/trunk/rev/374b72785488) (authenticated) Other: - Code to configure per-IP connection limits has been introduced, however this is currently in an experimental status, and it is preferable to utilize a system firewall to enforce such limits if possible. Refer to the documentation for your system firewall. **Attribution** The resource amplification attack was discovered and disclosed to the Prosody team by Ley in advance of their public blog post. The memory leaks were discovered by the Prosody team during their research into this issue. Unauthenticated Use of SOCKS5 Proxy (mod_proxy65) ------------------------------------------------------- CVEs : We have requested 1 CVE CVSS : 5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) CWEs : CWE-863 Affected versions : All versions prior to 0.12.6 and 13.0.5 Fixed versions : 0.12.6, 13.0.5 **Description** It was discovered that mod_proxy65's access control was broken and incomplete due to two bugs. Firstly, due to changes in our default network backend, a connection that mod_proxy65 believed to be "paused" would actually be able to send data through the proxy before authorization. Secondly, mod_proxy65 only checked the access control rules during the discoverability stage of the protocol, but not during the activation stage. Any entity able to guess the domain and port of the proxy (which defaults to port 5000) could skip the discoverability stage and would be able to use it. **Limitations** mod_proxy65 is designed to facilitate file transfers and other binary streams between two XMPP entities. It is not a generic SOCKS5 proxy, and this limits the scope of potential abuse. For example, mod_proxy65 does not make outbound connections, and therefore cannot be abused for forward proxying of an attacker's connections to arbitrary endpoints. It requires both peers to make a connection to the proxy and perform a SOCKS5 handshake. **Affected configurations** All deployments with mod_proxy65 enabled are affected. mod_proxy65 is not enabled in the default configuration. **Mitigation** mod_proxy65 can be disabled, however this may have a negative impact on some kinds of file transfers. **Fixes** Fixes were made in two commits: - [f34ad235cf3b](https://hg.prosody.im/trunk/rev/f34ad235cf3b) - [4bbb17445ed9](https://hg.prosody.im/trunk/rev/4bbb17445ed9) **Attribution** The issue with unpausing connections was discovered and disclosed by Max Hearnden . The missing authorization was discovered review of the code by a Prosody team member.