CVE-2014-2744

high

Published 2014-04-11 · Modified 2026-05-06

CVSS v3

—

CVSS v2

7.8

VIR risk

7.8

Description

plugins/mod_compression.lua in (1) Prosody before 0.9.4 and (2) Lightwitch Metronome through 3.4 negotiates stream compression while a session is unauthenticated, which allows remote attackers to cause a denial of service (resource consumption) via compressed XML elements in an XMPP stream, aka an "xmppbomb" attack.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2014-2744

vendor Authored 2026-05-27

Vendor advisory: security@debian.org — http://hg.prosody.im/0.9/rev/b3b1c9da38fb

vendor Authored 2026-05-27

Vendor advisory: security@debian.org — http://code.lightwitch.org/metronome/rev/49f47277a411

vendor Authored 2026-05-27

Vendor advisory: security@debian.org — http://blog.prosody.im/prosody-0-9-4-released/

OS impact

OS	Version	Status	Fixed in
debian	bookworm	fixed	`1.3.0-1`
debian	bullseye	fixed	`1.3.0-1`
debian	forky	fixed	`1.3.0-1`
debian	sid	fixed	`1.3.0-1`
debian	trixie	fixed	`1.3.0-1`

Application impact

Vendor	Product	Versions
lightwitch	metronome	`{"endIncluding":"3.4"}`
prosody	prosody	`{"endIncluding":"0.9.3"}`
prosody	prosody	`0.1.0`
prosody	prosody	`0.2.0`
prosody	prosody	`0.3.0`
prosody	prosody	`0.4.0`
prosody	prosody	`0.4.1`
prosody	prosody	`0.4.2`
prosody	prosody	`0.5.0`
prosody	prosody	`0.5.1`
prosody	prosody	`0.5.2`
prosody	prosody	`0.6.0`
prosody	prosody	`0.6.1`
prosody	prosody	`0.6.2`
prosody	prosody	`0.7.0`
prosody	prosody	`0.8.0`
prosody	prosody	`0.8.1`
prosody	prosody	`0.8.2`
prosody	prosody	`0.9.0`
prosody	prosody	`0.9.1`
prosody	prosody	`0.9.2`

References

CWEs

CWE-20

Verify integrity in audit chain (admin only). AS-IS.