A security flaw has been found and fixed in a core component of the Snikket server software, Prosody. A fix has been released today, and it is recommended that everyone upgrades as soon as possible to receive the fix.
The flaw would allow an attacker to trigger the Snikket server to consume extreme amounts of resources (CPU and RAM), resulting in a denial of service.
You can find instructions for upgrading to the latest release in our upgrade guide.
If you are a Snikket hosting customer, you will receive an email with information about upgrading your instance.
A “Denial of Service” attack (DoS) is any attack that causes an internet service (such as Snikket) to become unavailable to its users, i.e. unable to handle requests. In Snikket’s case, this means users would be temporarily unable to exchange messages, make calls, or share media and files.
This flaw does not expose any data to the attacker. It simply causes Snikket to consume large amounts of memory and stop responding.
Snikket may use large amounts of CPU and RAM while trying to handle traffic that has been specially crafted by an attacker to trigger this flaw. If Snikket is running on a server alongside other services, Snikket’s excessive use of resources may negatively impact those services as well.
The issue was discovered by the Prosody development team during a review of the code. It is not known to have been actively exploited by anyone. However, now that the fix has been published, it may bring more attention to the flaw. It is recommended that you upgrade as soon as possible.
This security release only contains changes that fix the security issue. No features or other fixes have been introduced in this release.
If you cannot upgrade immediately, you can run the following command in your Snikket directory (where docker-compose.yml is located) to disable WebSocket support temporarily:
docker-compose exec -it snikket prosodyctl shell module unload websocket
WebSockets are enabled by default, but not used by any of the official clients; they are only needed for Web-based clients. Web-based clients should in addition be able to (be configured to) fall back to the unaffected BOSH endpoint.
Note that the above workaround is temporary - it will be reset if you restart Snikket for any reason. It is recommended to upgrade Snikket to achieve a permanent fix.
The fix has been released in ‘beta.20220113’.
To check your version, log in to the Snikket web portal with your admin
account. Then click on the “Snikket service” text at the bottom of the
page. View the section “Software Versions” and ensure that the ‘Prosody’
Snikket test 48-3d061. If you see
or any number lower than
48 then your Snikket is not up to date yet.
Follow the upgrade guide.
If you have any questions or concerns about this release, you can join the Snikket community chat or contact us directly.
Subscribe to our RSS feed for the latest updates from the Snikket project!