CVE-2026-43507
Published: 01 May 2026
Summary
CVE-2026-43507 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Prosody Prosody. Its CVSS base score is 5.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 21.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-2 requires timely identification, reporting, and correction of flaws, directly enabling patching of the Prosody XML parsing vulnerability as recommended in the security advisory.
SC-5 implements denial-of-service protections such as rate limiting and throttling to prevent memory exhaustion from unauthenticated XML resource amplification attacks.
SI-10 enforces validation of XML information inputs to reject malformed data that triggers excessive resource consumption during parsing.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote unauthenticated exploitation of an XMPP server via crafted XML input to cause resource exhaustion and service unavailability, directly mapping to application/system exploitation for endpoint denial of service.
NVD Description
An issue was discovered in Prosody before 0.12.6 and 1.0.0 through 13.0.0 before 13.0.5. A Denial of Service can occur via memory exhaustion caused by XML parsing resource amplification from unauthenticated connections.
Deeper analysisAI
CVE-2026-43507 is a denial-of-service vulnerability in Prosody, an open-source XMPP server, affecting versions prior to 0.12.6 as well as versions from 1.0.0 through 13.0.0 before 13.0.5. The issue stems from XML parsing resource amplification, where specially crafted input from unauthenticated connections triggers excessive memory consumption, leading to exhaustion. It is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L), indicating medium severity with low-impact availability disruption.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By sending malformed XML data to Prosody's listening ports, attackers can amplify resource usage during parsing, causing the server to allocate disproportionate memory and potentially crash or become unresponsive, resulting in a denial of service.
Prosody's security advisory (https://prosody.im/security/advisory_735dd9d3/) and related announcements detail mitigation through upgrading to Prosody 0.12.6 or version 13.0.5 and later, which address the parsing amplification. Additional discussions appear in security mailing lists (e.g., https://www.openwall.com/lists/oss-security/2026/05/01/5) and vendor blogs (e.g., https://blog.unionium.org/ARTICLES/1.HTM), emphasizing prompt patching for exposed XMPP servers.
Details
- CWE(s)