CVE-2021-32917

An issue was discovered in Prosody before 0.11.9. The proxy65 component allows open access by default, even if neither of the users has an XMPP account on the local server, allowing unrestricted use of the server's bandwidth.

Published: May 13, 2021
Updated: Nov 16, 2025
CVE: CVE-2021-32917
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.3
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CVSS v2:

Severity: Low
Score: 4.3
AV:N/AC:M/Au:N/C:N/I:N/A:P

CWEs:

CWE-862

Affected Software
References

Software	From	Fixed in
prosody / prosody	-	0.11.9
debian / debian_linux	9.0	9.0.x
debian / debian_linux	10.0	10.0.x
fedoraproject / fedora	32	32.x
fedoraproject / fedora	33	33.x
fedoraproject / fedora	34	34.x

http://www.openwall.com/lists/oss-security/2021/05/13/1
http://www.openwall.com/lists/oss-security/2021/05/14/2
https://blog.prosody.im/prosody-0.11.9-released/
https://lists.debian.org/debian-lts-announce/2021/06/msg00016.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/6MFFBZWXKPZEVZNQSVJNCUE7WRF3T7DG/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GUN63AHEWB2WRROJHU3BVJRWLONCT2B7/
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/LWJ2DG2DFJOEFEWOUN26IMYYWGSA2ZEE/
https://security.gentoo.org/glsa/202105-15
https://www.debian.org/security/2021/dsa-4916

Vulnerability Database

317,181

CVE-2021-32917

Deep Security Visibility Without the Complexity