CVE-2026-43506
Memory Leak DoS in Prosody Server
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| prosody | prosody | to 0.12.6 (exc) |
| prosody | prosody | From 13.0.0 (inc) to 13.0.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-401 | The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
This vulnerability exists in Prosody versions before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5. It is a Denial of Service (DoS) issue caused by memory exhaustion resulting from memory leaks triggered by unauthenticated connections.
How can this vulnerability impact me? :
The impact of this vulnerability is a Denial of Service condition. An attacker can exploit memory leaks to exhaust system memory, potentially causing the affected Prosody service to crash or become unresponsive, disrupting normal operations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves monitoring for unusual memory consumption patterns caused by unauthenticated connections to the Prosody XMPP server. Since the issue is related to memory exhaustion via crafted traffic patterns and resource leaks, network administrators should look for excessive memory usage by the Prosody process and unusually high rates of unauthenticated connection attempts.
Suggested commands include using system monitoring tools to check memory usage and connection rates, for example:
- Use 'top' or 'htop' to monitor memory usage of the Prosody process.
- Use 'netstat -anp | grep prosody' or 'ss -anp | grep prosody' to view active connections handled by Prosody.
- Use 'lsof -p <prosody_pid>' to check open connections and resources.
- Monitor logs for unusual unauthenticated connection attempts or high connection rates.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Prosody XMPP server to version 13.0.5 or later (or 0.12.6 or later for the 0.12 series), where the vulnerability has been fixed.
Additional recommended actions are:
- Review and adjust firewall limits to restrict the rate of incoming connections to prevent memory exhaustion from unauthenticated traffic.
- Disable the mod_proxy65 module if it is not needed, as it has related access control vulnerabilities.
- Ensure LuaExpat is linked against libexpat version 2.7.2 or later to address related memory issues.