CVE-2026-43507 Overview
CVE-2026-43507 is a denial-of-service vulnerability in Prosody, an open-source XMPP communications server. The flaw exists in versions before 0.12.6 and in the 1.0.0 through 13.0.0 branch before 13.0.5. Unauthenticated remote attackers can trigger memory exhaustion through XML parsing resource amplification, exhausting server memory and causing service disruption. The issue is categorized as Allocation of Resources Without Limits or Throttling [CWE-770]. Because Prosody serves as messaging infrastructure for many deployments, a crash or memory pressure event can disconnect every connected XMPP client until the service is restarted.
Critical Impact
Unauthenticated network attackers can exhaust server memory by sending crafted XML, taking the Prosody XMPP service offline.
Affected Products
- Prosody versions before 0.12.6
- Prosody 1.0.0 through 13.0.0 before 13.0.5
- Deployments exposing the Prosody XMPP service to untrusted networks
Discovery Timeline
- 2026-05-01 - CVE-2026-43507 published to NVD
- 2026-05-01 - Prosody publishes Security Advisory 735dd9d3
- 2026-05-01 - Disclosure thread posted to Openwall OSS Security
- 2026-05-01 - Last updated in NVD database
Technical Details for CVE-2026-43507
Vulnerability Analysis
The vulnerability is a memory exhaustion denial-of-service condition triggered during XML parsing. Prosody accepts XMPP stanzas as XML over TCP and TLS connections. An attacker can send crafted XML payloads that amplify resource consumption inside the parser, allocating memory disproportionate to the input size. The condition does not require authentication, and connections do not need to be upgraded to a session before the parser begins consuming attacker-controlled data. As memory pressure builds, Prosody may be terminated by the operating system or become unresponsive to legitimate clients. See the Prosody Security Advisory for the maintainer description.
Root Cause
The root cause is missing throttling on resources allocated during XML parsing of inbound stream data [CWE-770]. The parser does not enforce upper bounds proportional to bytes received from a peer, so a small input can produce large allocations. This pattern is common in XML processors that handle deeply nested or repetitive structures without budgeting allocations per connection.
Attack Vector
Exploitation requires only network access to a Prosody listener, typically TCP port 5222 for client-to-server traffic or 5269 for server-to-server federation. No credentials, user interaction, or prior session state is needed. An attacker opens a stream, sends amplifying XML, and continues until the server runs out of memory. Repeating across multiple connections accelerates exhaustion. Public exploit code is not currently listed in CISA KEV or Exploit-DB.
No verified proof-of-concept code is publicly available. Refer to the Openwall OSS Security discussion for additional context on the parsing behavior.
Detection Methods for CVE-2026-43507
Indicators of Compromise
- Sudden growth in resident memory of the prosody process without a corresponding increase in authenticated sessions
- prosody process termination by the Linux OOM killer recorded in dmesg or /var/log/syslog
- Spikes in inbound connections to TCP ports 5222, 5223, or 5269 from a small set of source addresses
- Repeated stream errors or abrupt disconnects in prosody.log correlated with high memory use
Detection Strategies
- Alert when the prosody process resident set size exceeds a baseline threshold for the deployment
- Correlate XMPP connection rate with memory growth to identify amplification patterns from individual peers
- Monitor systemd or supervisor restart events for the Prosody service as a signal of crash loops
Monitoring Recommendations
- Export Prosody process metrics and OOM events to a centralized logging or SIEM platform
- Track per-source-IP connection counts on XMPP listeners and rate-limit outliers
- Capture packet samples on ports 5222 and 5269 during memory anomalies for later analysis
How to Mitigate CVE-2026-43507
Immediate Actions Required
- Upgrade Prosody to version 0.12.6 or 13.0.5 or later as published in the Prosody Security Advisory
- Restart the Prosody service after upgrade to ensure the patched parser is loaded
- Review external exposure of XMPP ports and restrict server-to-server federation to known peers where feasible
Patch Information
Prosody has released fixed versions 0.12.6 and 13.0.5. Both releases address the XML parsing resource amplification described in advisory 735dd9d3. Operators on the 1.0.0 through 13.0.0 line should move to 13.0.5. Operators on the 0.12.x line should move to 0.12.6. Distribution package maintainers may ship backports; verify the installed package version matches the upstream fix.
Workarounds
- Place a connection rate limiter or reverse proxy in front of Prosody to cap concurrent connections per source IP
- Restrict server-to-server federation using s2s_secure_auth and explicit allowlists until patching is complete
- Enforce strict operating system memory limits on the prosody service via systemd MemoryMax to contain impact
# Configuration example - systemd drop-in to cap Prosody memory
# /etc/systemd/system/prosody.service.d/memory.conf
[Service]
MemoryMax=1G
MemoryHigh=768M
TasksMax=512
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
