Prosody XMPP server advisory 2026-04-29 (Multiple Vulnerabilities)

Prosody XMPP server advisory 2026-04-29 (Multiple Vulnerabilities)

Project

Prosody XMPP server

URL

https://prosody.im/

Date

2026-04-29

This advisory details two security vulnerabilities discovered in the Prosody.im XMPP server software. Fixes are available in Prosody 13.0.5. Deployments still using the Prosody 0.12 series can upgrade to 0.12.6.

In this advisory:

• Denial of Service via Memory Exhaustion
• Unauthenticated Use of SOCKS5 Proxy (mod_proxy65)

Full details of the vulnerabilities are below.

The recommended advice is for all Prosody users to:

• Upgrade to 13.0.5
• For extra protection, review system firewall limits (see below)

This advisory can be found online at:

• https://prosody.im/security/advisory_735dd9d3/ (HTML)
• https://prosody.im/security/advisory_735dd9d3.txt (text)

Denial of Service via Memory Exhaustion

CVEs

We have requested 2 CVEs

CVSS

7.5 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)

CWEs

CWE-405, CWE-770, CWE-772

Affected versions

All versions prior to 13.0.5

Fixed versions

0.12.6, 13.0.5

References

• https://blog.unionium.org/ARTICLES/1.HTM (third-party, see below)

Note: We have provided the original reporter’s blog post as a reference, as it contains the original report and proof-of-concept exploit code. However, the Prosody developers do not recommend the analysis and mitigations provided in that post to Prosody operators.

Description

Traffic patterns were discovered which can cause Prosody to consume excessive amounts of memory with much smaller amounts of incoming traffic. This traffic can be sent by unauthenticated connections.

Prosody has per-connection rate limits. However, the protection provided by rate limits was reduced due to amplification of memory usage compared to the data transmitted by the attacker.

Further, Prosody does not enforce limits on the total number of connections, allowing an attacker to increase the impact by using multiple concurrent connections.

Finally, the attack revealed per-connection resource leaks, where a connection could continue to consume resources in Prosody even after the stream is finished.

Affected configurations

All Prosody versions prior to 13.0.5 are believed to be affected.

Further, the issues described in this advisory are closely related to libexpat CVE-2025-59375. Fully protecting Prosody deployments requires that LuaExpat (a required dependency of Prosody) is linked against libexpat 2.7.2 or later (the version of expat in use can be discovered in the output of ‘prosodyctl about’).

Mitigation

Operators of Prosody servers are encouraged to utilize their system’s firewall to limit the rate and total number of connections to their service.

For example, ‘ufw’ is a widely available firewall tool which can limit excessive incoming connection requests. To apply this limiting to the standard XMPP ports, you would run:

  ufw limit 5222
  ufw limit 5269

iptables and nftables also have ‘connlimit’ features to limit the total number of connections per IP address. Refer to the documentation of your firewall for correct configuration.

It is not recommended to drastically lower Prosody’s per-connection bandwidth rate limits as described in the blog post by the original reporter. Lowering rate limits slows down processing of an attacker’s connections, causing them to remain active for longer. This can negatively impact Prosody’s resource usage. Prosody’s default rate limits are generally considered sufficient.

Fixes

The attack revealed a number of areas where the resource usage of connections could exceed expected and desired levels. Multiple fixes were applied.

Resource amplification (first CVE):

• Lower stanza size limits have been introduced for unauthenticated streams.
  Commits: 8a4417d32b0f, 166ac7d65cb6, a4327478678f
• Limits have been placed on the complexity of XML stanzas, to disallow stanzas that will consume significantly larger amounts of memory than their serialized form.
  Commits: 6c7549964d4d, 1e005ba71f0d

Memory leaks (second CVE):

• Four memory leaks have been fixed, two could be triggered by unauthenticated connections, and two by authenticated users.
  Commits: 836a70deb3c9 (unauthenticated), e27d94d8f505 (unauthenticated), 041c7ff18f76 (authenticated), 374b72785488 (authenticated)

Other:

• Code to configure per-IP connection limits has been introduced, however this is currently in an experimental status, and it is preferable to utilize a system firewall to enforce such limits if possible. Refer to the documentation for your system firewall.

Attribution

The resource amplification attack was discovered and disclosed to the Prosody team by Ley <unionium.org> in advance of their public blog post.

The memory leaks were discovered by the Prosody team during their research into this issue.

Unauthenticated Use of SOCKS5 Proxy (mod_proxy65)

CVEs

We have requested 1 CVE

CVSS

5.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)

CWEs

CWE-863

Affected versions

All versions prior to 0.12.6 and 13.0.5

Fixed versions

0.12.6, 13.0.5

Description

It was discovered that mod_proxy65’s access control was broken and incomplete due to two bugs.

Firstly, due to changes in our default network backend, a connection that mod_proxy65 believed to be “paused” would actually be able to send data through the proxy before authorization.

Secondly, mod_proxy65 only checked the access control rules during the discoverability stage of the protocol, but not during the activation stage. Any entity able to guess the domain and port of the proxy (which defaults to port 5000) could skip the discoverability stage and would be able to use it.

Limitations

mod_proxy65 is designed to facilitate file transfers and other binary streams between two XMPP entities. It is not a generic SOCKS5 proxy, and this limits the scope of potential abuse.

For example, mod_proxy65 does not make outbound connections, and therefore cannot be abused for forward proxying of an attacker’s connections to arbitrary endpoints. It requires both peers to make a connection to the proxy and perform a SOCKS5 handshake.

Affected configurations

All deployments with mod_proxy65 enabled are affected. mod_proxy65 is not enabled in the default configuration.

Mitigation

mod_proxy65 can be disabled, however this may have a negative impact on some kinds of file transfers.

Fixes

Fixes were made in two commits:

• f34ad235cf3b
• 4bbb17445ed9

Attribution

The issue with unpausing connections was discovered and disclosed by Max Hearnden https://github.com/MaxHearnden/.

The missing authorization was discovered review of the code by a Prosody team member.