We are pleased to announce a new minor release from our stable branch.

This is a security release for the Prosody 0.12.x old stable series. It addresses multiple security issues, some memory leaks and some smaller bugs which have been fixed since the previous release.

Full details about the security vulnerabilities can be found in our security advisory . We encourage all Prosody operators on 0.12.5 or earlier to upgrade to 0.12.6 or 13.0.5 as soon as possible, or to review the advisory and implement appropriate mitigations.

Note: Support for the 0.12.x series ends in June 2026. This means it will no longer receive any fixes or updates, even for security issues. It is likely that 0.12.6 will be the last release from this series. Check our guide on upgrading Prosody and the release notes for 13.0.0 before you upgrade to the 13.0.x series.

A summary of changes in this release:

Security

• mod_proxy65: Consistently apply authorization checks
• mod_proxy65: Don’t proxy data until after bytestream activation
• mod_c2s, mod_s2s: Introduce new pre-authentication stanza size limit
• Add limit for stanza max child elements
• mod_c2s: Remove timers immediately on disconnection
• net.server_epoll: Clean up timers after disconnection

Fixes and improvements

• Fix memory leak in module API

Minor changes

• util.prosodyctl.check: Improve error handling of UDP socket setup (for #1803 )

Download

As usual, download instructions for many platforms can be found on our download page

If you have any questions, comments or other issues with this release, let us know!