Description
An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5, when mod_proxy65 is enabled. Because mod_proxy65 mishandles access control in the activation scenario, relaying of unauthenticated traffic can occur.
Published: 2026-05-01
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a flaw in the mod_proxy65 module of Prosody that mishandles access control when the module is activated. As a result, unauthenticated users can relay traffic through the server, allowing them to forward messages or data without performing any authentication. This abuse of privilege can be used to conceal malicious traffic, proxy users, or perform denial of service by exhausting bandwidth or server resources. The weakness is identified as CWE‑420, indicating improper use of privileged access. The impact therefore consists of potential data exfiltration, anonymity, or overload of the server via unauthenticated traffic

Affected Systems

Prosody installations running version 0.12.0 to 0.12.5, or any release from 1.0.0 up to 13.0.4 with the mod_proxy65 module enabled, are affected. Versions 0.12.6 and all releases from 13.0.5 onward contain the fix and are not vulnerable

Risk and Exploitability

The CVSS score of 6.5 reflects moderate severity. Because no EPSS score is available and the vulnerability is not listed in CISA KEV, exploitation believed to be low to moderate. The vulnerability can be triggered over the network by connecting to the Prosody service with mod_proxy65 enabled, without any authentication. No publicly known exploits are documented, but an attacker could leverage the server as an open relay to forward traffic to arbitrary destinations.

Generated by OpenCVE AI on May 1, 2026 at 22:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Prosody to a version that includes the fixed mod_proxy65 (0.12.6 or newer, or 13.0.5 or newer).
  • If the proxy functionality is not required, disable or remove the mod_proxy65 module from the Prosody configuration.
  • Verify that the mod_proxy65 module is not loaded and that no unauthenticated traffic can be relayed.

Generated by OpenCVE AI on May 1, 2026 at 22:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 23:15:00 +0000

Type Values Removed Values Added
Title Unauthorized traffic relay via misconfigured mod_proxy65

Fri, 01 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 15:00:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5, when mod_proxy65 is enabled. Because mod_proxy65 mishandles access control in the activation scenario, relaying of unauthenticated traffic can occur.
First Time appeared Prosody
Prosody prosody
Weaknesses CWE-420
CPEs cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*
Vendors & Products Prosody
Prosody prosody
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Prosody Prosody
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-01T15:48:52.374Z

Reserved: 2026-05-01T14:42:33.053Z

Link: CVE-2026-43505

cve-icon Vulnrichment

Updated: 2026-05-01T15:48:42.432Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:52.653

Modified: 2026-05-01T17:15:38.703

Link: CVE-2026-43505

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T23:00:14Z

Weaknesses