Prosody Prosody

  1. Vendors
  2. Prosody

Don't miss out!

Thousands of developers use stack.watch to stay informed.
Get an email whenever new security vulnerabilities are reported in any Prosody product.

RSS Feeds for Prosody security vulnerabilities

Create a CVE RSS feed including security vulnerabilities found in Prosody products with stack.watch. Just hit watch, then grab your custom RSS feed url.

Products by Prosody Sorted by Most Security Vulnerabilities since 2018

Prosody6 vulnerabilities

Prosody Mod Auth Ldap1 vulnerability

Prosody Mod Auth Ldap21 vulnerability

By the Year

In 2026 there have been 0 vulnerabilities in Prosody. Prosody did not have any published security vulnerabilities last year.




Year Vulnerabilities Average Score
2026 0 0.00
2025 0 0.00
2024 0 0.00
2023 0 0.00
2022 1 7.50
2021 4 6.95
2020 1 0.00
2019 0 0.00
2018 1 0.00

It may take a day or so for new Prosody vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.

Recent Prosody Security Vulnerabilities

CVE Date Vulnerability Products
CVE-2022-0217 Aug 26, 2022
XML External Entity & Entity Expansion in Prosody (XML Parser Abuse) It was discovered that an internal Prosody library to load XML based on libexpat does not properly restrict the XML features allowed in parsed XML data. Given suitable attacker input, this results in expansion of recursive entity references from DTDs (CWE-776). In addition, depending on the libexpat version used, it may also allow injections using XML External Entity References (CWE-611).
Prosody
CVE-2021-37601 Jul 30, 2021
muc.lib.lua in Prosody 0.11.0 through 0.11.9 muc.lib.lua in Prosody 0.11.0 through 0.11.9 allows remote attackers to obtain sensitive information (list of admins, members, owners, and banned entities of a Multi-User chat room) in some common configurations.
Prosody
CVE-2021-32920 May 13, 2021
Prosody before 0.11.9 Prosody before 0.11.9 allows Uncontrolled CPU Consumption via a flood of SSL/TLS renegotiation requests.
Prosody
CVE-2021-32919 May 13, 2021
An issue was discovered in Prosody before 0.11.9 An issue was discovered in Prosody before 0.11.9. The undocumented dialback_without_dialback option in mod_dialback enables an experimental feature for server-to-server authentication. It does not correctly authenticate remote server certificates, allowing a remote server to impersonate another server (when this option is enabled).
Prosody
CVE-2021-32917 May 13, 2021
An issue was discovered in Prosody before 0.11.9 An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.
Prosody
CVE-2020-8086 Jan 28, 2020
The mod_auth_ldap and mod_auth_ldap2 Community Modules through 2020-01-27 for Prosody incompletely verify the XMPP address passed to the is_admin() function The mod_auth_ldap and mod_auth_ldap2 Community Modules through 2020-01-27 for Prosody incompletely verify the XMPP address passed to the is_admin() function. This grants remote entities admin-only functionality if their username matches the username of a local admin.
Mod Auth Ldap2
Mod Auth Ldap
CVE-2018-10847 Jul 30, 2018
prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass prosody before versions 0.10.2, 0.9.14 is vulnerable to an Authentication Bypass. Prosody did not verify that the virtual host associated with a user session remained the same across stream restarts. A user may authenticate to XMPP host A and migrate their authenticated session to XMPP host B of the same Prosody instance.
Prosody
Built by Foundeo Inc., with data from the National Vulnerability Database (NVD). Privacy Policy. Use of this site is governed by the Legal Terms
Disclaimer
CONTENT ON THIS WEBSITE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. Always check with your vendor for the most up to date, and accurate information.