CVE-2026-43505 Overview
CVE-2026-43505 affects Prosody, an open-source XMPP communications server. The vulnerability resides in mod_proxy65, which implements the SOCKS5 Bytestreams (XEP-0065) extension for relaying file transfers between XMPP clients. The module mishandles access control during the activation scenario, allowing relaying of unauthenticated traffic through the server.
Prosody versions before 0.12.6 and versions 1.0.0 through 13.0.0 before 13.0.5 are affected when mod_proxy65 is enabled. The flaw enables network-based attackers to abuse the Prosody server as an open relay without authentication.
Critical Impact
Unauthenticated network attackers can relay arbitrary traffic through affected Prosody servers when mod_proxy65 is enabled, exposing the server to abuse and resource consumption [CWE-420].
Affected Products
- Prosody XMPP Server versions before 0.12.6
- Prosody XMPP Server versions 1.0.0 through 13.0.0 before 13.0.5
- Any deployment with mod_proxy65 enabled
Discovery Timeline
- 2026-05-01 - CVE-2026-43505 published to NVD
- 2026-05-01 - Prosody publishes Prosody Security Advisory
- 2026-05-01 - Disclosure published via Openwall OSS-Security Mail
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-43505
Vulnerability Analysis
Prosody's mod_proxy65 implements XEP-0065 SOCKS5 Bytestreams, which provides an out-of-band relay for peer-to-peer file transfers between XMPP clients. The protocol requires a session activation step where an authorized initiator instructs the proxy to bridge two connected sockets identified by a session ID (SID) hash.
The vulnerability stems from improper access control [CWE-420] during the activation scenario. The module fails to correctly verify the requesting party's authority to activate a given bytestream session. As a result, the proxy can be coerced into bridging connections from unauthenticated parties.
This condition turns Prosody into an unauthenticated TCP relay. Attackers can use the relay to obscure the origin of traffic, consume server bandwidth, or chain the relay into broader attack infrastructure. The flaw does not yield code execution or direct data disclosure of server contents.
Root Cause
The root cause is an unprotected alternate channel [CWE-420] in the mod_proxy65 activation handler. Authorization checks that should restrict session activation to the legitimate initiator are insufficient, allowing arbitrary clients to associate and activate streams.
Attack Vector
Exploitation requires only network access to the Prosody SOCKS5 proxy port, typically TCP 5000. No authentication, no privileges, and no user interaction are required. An attacker connects to the proxy, computes or replays the expected SID hash, and triggers activation to relay traffic between attacker-controlled endpoints.
Refer to the Prosody Security Advisory for protocol-level details on the activation handling defect.
Detection Methods for CVE-2026-43505
Indicators of Compromise
- Unexpected sustained TCP connections to the mod_proxy65 listener port (default 5000) from unknown source addresses
- Outbound connections from the Prosody host to external destinations unrelated to known XMPP federation peers
- Elevated bandwidth usage on the Prosody server without corresponding XMPP messaging activity
- Proxy65 session activations originating from JIDs not associated with active local accounts
Detection Strategies
- Enable verbose logging in mod_proxy65 and audit activation events for sessions where the initiator JID is unauthenticated or anonymous
- Correlate proxy port connections against authenticated XMPP sessions to identify relay traffic without a corresponding signaling channel
- Inspect netflow data for asymmetric long-lived TCP flows traversing the Prosody host
Monitoring Recommendations
- Alert on connection volume anomalies to TCP 5000 or whichever port mod_proxy65 is bound to
- Monitor Prosody logs for proxy65 activation entries and validate each against legitimate XMPP file transfer signaling
- Track CPU, memory, and bandwidth consumption on the Prosody host for relay abuse patterns
How to Mitigate CVE-2026-43505
Immediate Actions Required
- Upgrade Prosody to version 0.12.6 or 13.0.5, depending on the deployed branch
- If upgrading is not immediately possible, disable mod_proxy65 in the Prosody configuration
- Restrict network access to the SOCKS5 proxy port (default TCP 5000) using host or perimeter firewalls
- Review proxy logs for evidence of prior abuse and rotate any exposed credentials accessed via the relay
Patch Information
Prosody has released fixed versions 0.12.6 and 13.0.5. Deployments running the 1.0.0 through 13.0.0 series should upgrade to 13.0.5. The patch corrects access control logic in the mod_proxy65 activation handler. Refer to the Prosody Security Advisory for upgrade guidance.
Workarounds
- Set proxy65_acl to an explicit allowlist of trusted local domains in prosody.cfg.lua to constrain which JIDs may use the proxy
- Disable mod_proxy65 entirely by removing it from the modules_enabled list if file transfer relay is not required
- Bind mod_proxy65 to an internal interface only and block external access to the proxy port at the network boundary
# Configuration example: disable mod_proxy65 in prosody.cfg.lua
modules_enabled = {
"roster";
"saslauth";
"tls";
-- "proxy65"; -- disabled to mitigate CVE-2026-43505
}
# Alternative: restrict proxy65 to local domains only
Component "proxy.example.com" "proxy65"
proxy65_acl = { "example.com" }
proxy65_address = "proxy.example.com"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
