CVE-2026-43507
Memory Exhaustion via XML Parsing in Prosody
Publication date: 2026-05-01
Last updated on: 2026-05-01
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| prosody | prosody | to 0.12.6 (exc) |
| prosody | prosody | From 13.0.0 (inc) to 13.0.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
The primary impact of this vulnerability is a Denial of Service (DoS) attack on the Prosody server. This means that an attacker can cause the server to crash or become unresponsive by exhausting its memory resources through malicious XML data.
As a result, legitimate users may be unable to connect or use the messaging services provided by the server, leading to service disruption and potential loss of availability.
Can you explain this vulnerability to me?
This vulnerability affects Prosody versions before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5. It is a Denial of Service (DoS) issue caused by memory exhaustion triggered during XML parsing. Attackers exploit this by sending maliciously crafted XML data from unauthenticated connections, which amplifies resource consumption and causes the server to crash or become unresponsive.
Specifically, attackers create multiple valid XMPP connections and send deeply nested or oversized XML stanzas (referred to as BadXML). For example, sending a 256 KB stanza with excessive nesting to Prosody can crash the server.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual or excessive XML stanza sizes and deeply nested XML data being sent to the Prosody server from unauthenticated connections.
One way to detect potential exploitation attempts is to observe multiple valid XMPP connections from the same IP address sending large or deeply nested XML stanzas, which can cause memory exhaustion.
While specific commands are not provided, administrators can use network monitoring tools or log analysis to identify connections with unusually large stanza sizes (e.g., around 256 KB) or excessive nesting in XML payloads.
Additionally, monitoring the number of simultaneous connections per IP address can help detect abnormal connection patterns indicative of an attack.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include setting limits on the maximum stanza size and the number of simultaneous connections per IP address on the Prosody server.
For example, administrators should configure the server to reject or limit XML stanzas that exceed a certain size (such as 256 KB) or have excessive nesting to prevent memory exhaustion.
Limiting the number of connections from a single IP address can also reduce the risk of resource amplification attacks.
Applying the latest patches or upgrading to Prosody versions 0.12.6 or later, or 13.0.5 or later, where the vulnerability is fixed, is strongly recommended.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes a Denial of Service (DoS) via memory exhaustion from XML parsing resource amplification, which can make the affected servers crash or become unresponsive.
While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, a DoS attack impacting availability could potentially affect compliance with regulations that require maintaining service availability and reliability.
Administrators are advised to implement limits on maximum stanza size and number of connections per IP to mitigate the vulnerability and help maintain service availability.