Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Lifecycle Timeline
6DescriptionCVE.org
An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5. A Denial of Service can occur via memory exhaustion caused by memory leaks from unauthenticated connections.
AnalysisAI
Prosody XMPP server versions before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5 are vulnerable to denial of service via memory exhaustion from unauthenticated connections. An attacker can remotely trigger memory leaks by establishing multiple connections without authentication, eventually exhausting server memory and causing service unavailability. No special configuration or user interaction is required; the vulnerability affects default Prosody deployments accessible over the network.
Technical ContextAI
Prosody is an XMPP (Extensible Messaging and Presence Protocol) server written in Lua. The vulnerability stems from CWE-401 (Missing Release of Memory after Effective Lifetime), indicating that memory allocated during connection handling is not properly freed when unauthenticated sessions are terminated or abandoned. The XMPP protocol defines connection establishment and stream negotiation phases before authentication; the memory leak occurs during these early protocol phases, allowing attackers to trigger leaks without providing valid credentials. The affected CPE indicates all versions of Prosody up to specified branches are vulnerable, suggesting the issue affects core connection management code.
RemediationAI
Upgrade Prosody to version 0.12.6 or later for the 0.12.x branch, or to version 13.0.5 or later for the 1.x/13.x branches. Patch availability is confirmed via the official Prosody security advisory (https://prosody.im/security/advisory_735dd9d3/). If immediate patching is not feasible, implement network-level mitigations: restrict XMPP C2S (client-to-server) port access via firewall rules to trusted IP ranges, implement connection rate limiting at the firewall or reverse proxy level (e.g., limit new connections per IP per minute), and deploy aggressive connection timeout policies (close idle or incomplete connections after 30 seconds). Monitor memory usage on Prosody processes; set process memory ulimits via systemd or containerization to trigger automatic restart if memory threshold is exceeded, preventing full system memory exhaustion. These workarounds reduce but do not eliminate risk and may impact legitimate users with slow network connections.
plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compr
It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML feat
muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, me
prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Rated high severity (CVSS 8.8), this v
Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers
The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server
Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests. Rated high seve
An issue was discovered in Prosody before 0.11.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploit
An issue was discovered in Prosody before 0.11.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploit
Unauthenticated traffic relay vulnerability in Prosody mod_proxy65 module allows network attackers to bypass access cont
Improper access control in Prosody's mod_proxy65 module allows unauthenticated relaying of traffic when the module enter
Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows
Same weakness CWE-401 – Memory Leak
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26659