CVE-2026-43504 Overview
CVE-2026-43504 affects Prosody, an open-source XMPP communication server. The vulnerability resides in mod_proxy65, a module implementing the SOCKS5 Bytestreams (XEP-0065) protocol used for peer-to-peer file transfers between XMPP clients. The module mishandles access control during paused transfer scenarios, allowing unauthenticated traffic to be relayed through the server. Attackers can abuse the proxy to relay arbitrary traffic without authenticating to the XMPP service. The flaw affects Prosody versions before 0.12.6 and versions 1.0.0 through 13.0.0 before 13.0.5. The issue is classified under CWE-863: Incorrect Authorization.
Critical Impact
Unauthenticated attackers can relay traffic through Prosody servers running mod_proxy65, abusing the service as an open proxy and causing integrity and availability impact to legitimate users.
Affected Products
- Prosody versions before 0.12.6
- Prosody versions 1.0.0 through 13.0.0 before 13.0.5
- Prosody deployments with mod_proxy65 enabled
Discovery Timeline
- 2026-05-01 - CVE-2026-43504 published to NVD
- 2026-05-01 - Prosody security advisory 735dd9d3 released
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-43504
Vulnerability Analysis
Prosody's mod_proxy65 implements XEP-0065 SOCKS5 Bytestreams, which lets two XMPP clients exchange files through a relay when direct connections fail. The protocol requires both endpoints to authenticate the transfer session before the proxy begins relaying bytes. The vulnerability stems from incorrect authorization handling when a transfer enters a paused state. In that state, mod_proxy65 fails to re-validate that connecting peers are authorized session participants. Unauthenticated network attackers can connect to the proxy port and have traffic relayed between arbitrary endpoints. The result is an open relay capable of transporting attacker-controlled data through a legitimate XMPP infrastructure.
Root Cause
The defect is an authorization logic error [CWE-863]. The module's state machine treats paused transfers as if they retain prior authorization context, but the access control check that pairs an inbound SOCKS5 connection with an authenticated XMPP session is bypassed. Sessions in the paused branch skip the verification that links streamhost-used stanzas to specific JIDs.
Attack Vector
The attack is remote and requires no authentication or user interaction. An attacker reaches the mod_proxy65 listener over the network, typically TCP port 5000, and initiates a SOCKS5 negotiation against a paused or crafted session identifier. The proxy accepts the connection and relays bytes between unauthenticated peers. The vulnerability does not yield code execution. Confidentiality of the host is unaffected, but integrity and availability are degraded because attackers can inject relayed traffic and exhaust proxy resources.
No public proof-of-concept exploit is available. Refer to the Prosody Security Advisory for protocol-level details.
Detection Methods for CVE-2026-43504
Indicators of Compromise
- Unexpected inbound connections to the mod_proxy65 listening port (default TCP 5000) from sources unrelated to active XMPP user sessions.
- Sustained byte relay activity with no corresponding streamhost-used IQ stanza tied to authenticated JIDs in Prosody logs.
- Spikes in proxy bandwidth usage or open file descriptors on the Prosody host without matching XMPP session counts.
Detection Strategies
- Audit Prosody logs for mod_proxy65 transfer events that lack an associated authenticated session initiator.
- Correlate firewall flow records against the XMPP session table to identify proxy connections with no matching authenticated client.
- Deploy IDS signatures that flag SOCKS5 negotiations on the Prosody proxy port originating from non-federated networks.
Monitoring Recommendations
- Forward Prosody server logs and network telemetry into a centralized analytics platform for retention and correlation.
- Set rate-limit alerts on mod_proxy65 connection counts and aggregate transferred bytes per source IP.
- Track the prosody process for abnormal socket counts and outbound connections to unusual destinations.
How to Mitigate CVE-2026-43504
Immediate Actions Required
- Upgrade Prosody to version 0.12.6 or 13.0.5 or later, which contain the fix for mod_proxy65 authorization handling.
- If upgrading is not immediately possible, disable mod_proxy65 in the Prosody configuration until the patch is applied.
- Restrict network access to the proxy port using firewall rules so only trusted client networks can reach it.
Patch Information
The Prosody project published security advisory 735dd9d3 and fixed releases 0.12.6 and 13.0.5. Administrators should install packages from the Prosody Security Advisory or the distribution package channel. Additional details are available in the Openwall OSS Security Update.
Workarounds
- Remove or comment out "proxy65" from the modules_enabled list in /etc/prosody/prosody.cfg.lua and reload the service.
- Bind the proxy to a non-public interface using the proxy65_address and proxy65_interfaces directives to limit exposure.
- Apply ACLs at the host or perimeter firewall to restrict TCP port 5000 to known XMPP client subnets.
# Configuration example: disable mod_proxy65 in prosody.cfg.lua
modules_enabled = {
"roster";
"saslauth";
"tls";
"dialback";
"disco";
-- "proxy65"; -- disabled to mitigate CVE-2026-43504
}
-- Restart Prosody after editing the config
-- sudo systemctl restart prosody
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
