Description
An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5. A Denial of Service can occur via memory exhaustion caused by XML parsing resource amplification from unauthenticated connections.
Published: 2026-05-01
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a denial‑of‑service caused by memory exhaustion during XML parsing. An unauthenticated client can send crafted XML that triggers Prosody to allocate excessive memory, ultimately leading to a crash or prolonged unresponsive state. This failure results in a loss of service for all clients connected to the affected server.

Affected Systems

The flaw affects all installations of Prosody before version 0.12.6, releases 1.0.0 through 13.0.0 before 13.0.5, or any earlier baseline. For instance, Prosody 0.11.x, 0.12.0‑0.12.5, 1.0.0‑13.0.4, and 13.0.0‑13.0.4 are susceptible.

Risk and Exploitability

The CVSS score of 5.3 denotes moderate severity, yet the vulnerability can be triggered merely via an unauthenticated connection, making it a potential remote denial‑of‑service vector. The EPSS score is not available, so the probability of exploitation remains indeterminate. The issue is not listed in the CISA KEV catalog. An attacker can flood the server with XML requests, exhausting memory and causing service outage. Mitigation requires applying the vendor’s fix or reducing the server’s exposure to untrusted XML input.

Generated by OpenCVE AI on May 1, 2026 at 22:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Prosody to a version released after 0.12.6, 1.0.0, and 13.0.5 so the vendor patch applies.
  • If an upgrade is not possible, restrict external access to the Prosody XMPP port so that only trusted clients can connect, thereby preventing unauthenticated XML requests from reaching the server.
  • Configure the server to limit the size of incoming XML payloads or disable XML parsing for unauthenticated connections to reduce memory consumption.
  • Apply kernel‑level memory limits or system cgroups to prevent a single process from exhausting host memory when the vulnerability is triggered.

Generated by OpenCVE AI on May 1, 2026 at 22:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 01 May 2026 23:15:00 +0000

Type Values Removed Values Added
Title Prosody Denial of Service via XML Parsing Resource Amplification

Fri, 01 May 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 01 May 2026 15:00:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5. A Denial of Service can occur via memory exhaustion caused by XML parsing resource amplification from unauthenticated connections.
First Time appeared Prosody
Prosody prosody
Weaknesses CWE-770
CPEs cpe:2.3:a:prosody:prosody:*:*:*:*:*:*:*:*
Vendors & Products Prosody
Prosody prosody
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Prosody Prosody
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-01T15:20:38.141Z

Reserved: 2026-05-01T14:47:22.237Z

Link: CVE-2026-43507

cve-icon Vulnrichment

Updated: 2026-05-01T15:20:25.778Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-01T15:16:52.990

Modified: 2026-05-01T17:09:17.600

Link: CVE-2026-43507

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T23:00:14Z

Weaknesses