Skip to main content

Prosody

17 CVEs product

Monthly

CVE-2026-43507 MEDIUM PATCH This Month

Denial of service via memory exhaustion in Prosody before 0.12.6 and 1.0.0 through 13.0.4 allows unauthenticated remote attackers to crash the server through XML parsing resource amplification. An attacker can send specially crafted XML payloads to trigger excessive memory consumption without authentication, resulting in service unavailability with a CVSS score of 5.3 indicating low severity availability impact.

Denial Of Service Prosody
NVD VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-43506 MEDIUM PATCH This Month

Prosody XMPP server versions before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5 are vulnerable to denial of service via memory exhaustion from unauthenticated connections. An attacker can remotely trigger memory leaks by establishing multiple connections without authentication, eventually exhausting server memory and causing service unavailability. No special configuration or user interaction is required; the vulnerability affects default Prosody deployments accessible over the network.

Denial Of Service Prosody
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-43505 MEDIUM PATCH This Month

Unauthenticated traffic relay vulnerability in Prosody mod_proxy65 module allows network attackers to bypass access control during SOCKS5 activation, resulting in integrity compromise and service disruption without requiring authentication. Affected versions are Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5 when mod_proxy65 is enabled. CVSS 6.5 reflects medium severity with network-accessible attack surface, low complexity, and non-privileged unauthenticated access, though confirmed availability and integrity impact limits widespread severity.

Information Disclosure Prosody
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-43504 MEDIUM PATCH This Month

Improper access control in Prosody's mod_proxy65 module allows unauthenticated relaying of traffic when the module enters a paused state, enabling attackers to bypass authentication and impact data integrity and availability across affected versions. Prosody before 0.12.6 and versions 1.0.0 through 13.0.0 before 13.0.5 are vulnerable when mod_proxy65 is explicitly enabled; no public exploit code or active exploitation has been confirmed at time of analysis, though the network-accessible vulnerability with no authentication requirement and low complexity presents meaningful real-world risk.

Authentication Bypass Prosody
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2022-0217 HIGH POC PATCH This Week

It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Prosody
NVD
CVSS 3.1
7.5
EPSS
4.6%
CVE-2021-37601 HIGH POC This Week

muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Prosody
NVD
CVSS 3.1
7.5
EPSS
2.3%
CVE-2021-32921 MEDIUM This Month

An issue was discovered in Prosody before 0.11.9. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Race Condition Prosody Fedora Debian Linux
NVD
CVSS 3.1
5.9
EPSS
1.6%
CVE-2021-32920 HIGH This Week

Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Prosody Debian Linux Fedora
NVD
CVSS 3.1
7.5
EPSS
2.3%
CVE-2021-32919 HIGH This Week

An issue was discovered in Prosody before 0.11.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Prosody Debian Linux Fedora
NVD
CVSS 3.1
7.5
EPSS
1.4%
CVE-2021-32918 HIGH This Week

An issue was discovered in Prosody before 0.11.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Prosody Debian Linux Fedora
NVD
CVSS 3.1
7.5
EPSS
2.1%
CVE-2021-32917 MEDIUM This Month

An issue was discovered in Prosody before 0.11.9. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Prosody Debian Linux Fedora
NVD
CVSS 3.1
5.3
EPSS
2.2%
CVE-2018-10847 HIGH This Week

prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Prosody
NVD
CVSS 3.0
8.8
EPSS
1.7%
CVE-2016-0756 MEDIUM PATCH This Month

The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Prosody
NVD
CVSS 3.0
5.3
EPSS
0.7%
CVE-2016-1232 HIGH PATCH This Week

The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Prosody Fedora Debian Linux
NVD
CVSS 3.0
7.5
EPSS
0.7%
CVE-2016-1231 MEDIUM PATCH This Month

Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Fedora Prosody Debian Linux
NVD
CVSS 3.0
5.9
EPSS
0.7%
CVE-2014-2745 HIGH This Week

Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream,. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Privilege Escalation Prosody
NVD VulDB
CVSS 2.0
7.8
EPSS
2.2%
CVE-2014-2744 HIGH POC This Week

plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Metronome Prosody
NVD VulDB
CVSS 2.0
7.8
EPSS
2.2%
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Denial of service via memory exhaustion in Prosody before 0.12.6 and 1.0.0 through 13.0.4 allows unauthenticated remote attackers to crash the server through XML parsing resource amplification. An attacker can send specially crafted XML payloads to trigger excessive memory consumption without authentication, resulting in service unavailability with a CVSS score of 5.3 indicating low severity availability impact.

Denial Of Service Prosody
NVD VulDB
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Prosody XMPP server versions before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5 are vulnerable to denial of service via memory exhaustion from unauthenticated connections. An attacker can remotely trigger memory leaks by establishing multiple connections without authentication, eventually exhausting server memory and causing service unavailability. No special configuration or user interaction is required; the vulnerability affects default Prosody deployments accessible over the network.

Denial Of Service Prosody
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Unauthenticated traffic relay vulnerability in Prosody mod_proxy65 module allows network attackers to bypass access control during SOCKS5 activation, resulting in integrity compromise and service disruption without requiring authentication. Affected versions are Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5 when mod_proxy65 is enabled. CVSS 6.5 reflects medium severity with network-accessible attack surface, low complexity, and non-privileged unauthenticated access, though confirmed availability and integrity impact limits widespread severity.

Information Disclosure Prosody
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Improper access control in Prosody's mod_proxy65 module allows unauthenticated relaying of traffic when the module enters a paused state, enabling attackers to bypass authentication and impact data integrity and availability across affected versions. Prosody before 0.12.6 and versions 1.0.0 through 13.0.0 before 13.0.5 are vulnerable when mod_proxy65 is explicitly enabled; no public exploit code or active exploitation has been confirmed at time of analysis, though the network-accessible vulnerability with no authentication requirement and low complexity presents meaningful real-world risk.

Authentication Bypass Prosody
NVD VulDB
EPSS 5% CVSS 7.5
HIGH POC PATCH This Week

It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XXE Prosody
NVD
EPSS 2% CVSS 7.5
HIGH POC This Week

muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Information Disclosure Prosody
NVD
EPSS 2% CVSS 5.9
MEDIUM This Month

An issue was discovered in Prosody before 0.11.9. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Race Condition Prosody +2
NVD
EPSS 2% CVSS 7.5
HIGH This Week

Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Prosody Debian Linux +1
NVD
EPSS 1% CVSS 7.5
HIGH This Week

An issue was discovered in Prosody before 0.11.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Prosody Debian Linux +1
NVD
EPSS 2% CVSS 7.5
HIGH This Week

An issue was discovered in Prosody before 0.11.9. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Prosody Debian Linux +1
NVD
EPSS 2% CVSS 5.3
MEDIUM This Month

An issue was discovered in Prosody before 0.11.9. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Prosody Debian Linux +1
NVD
EPSS 2% CVSS 8.8
HIGH This Week

prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Authentication Bypass Prosody
NVD
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

The generate_dialback function in the mod_dialback module in Prosody before 0.9.10 does not properly separate fields when generating dialback keys, which allows remote attackers to spoof XMPP network. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Prosody
NVD
EPSS 1% CVSS 7.5
HIGH PATCH This Week

The mod_dialback module in Prosody before 0.9.9 does not properly generate random values for the secret token for server-to-server dialback authentication, which makes it easier for attackers to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Prosody Fedora +1
NVD
EPSS 1% CVSS 5.9
MEDIUM PATCH This Month

Directory traversal vulnerability in the HTTP file-serving module (mod_http_files) in Prosody 0.9.x before 0.9.9 allows remote attackers to read arbitrary files via a .. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Fedora Prosody +1
NVD
EPSS 2% CVSS 7.8
HIGH This Week

Prosody before 0.9.4 does not properly restrict the processing of compressed XML elements, which allows remote attackers to cause a denial of service (resource consumption) via a crafted XMPP stream,. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Denial Of Service Privilege Escalation Prosody
NVD VulDB
EPSS 2% CVSS 7.8
HIGH POC This Week

plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to. Rated high severity (CVSS 7.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Metronome Prosody
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy