CVE-2022-0217: 
NixOS vulnerability analysis and mitigation

A vulnerability was discovered in Prosody's internal library that handles XML parsing based on libexpat. The vulnerability (CVE-2022-0217) was identified on January 13, 2022, affecting all versions of Prosody with WebSocket support. The issue stems from improper restriction of XML features in parsed XML data, potentially allowing attackers to exploit recursive entity references from DTDs and possibly XML External Entity References depending on the libexpat version used (Prosody Advisory).

The vulnerability received a CVSS score of 7.3 (High severity) and is associated with CWE-776, CWE-20, and potentially CWE-611. The core issue lies in the internal Prosody API, which was originally designed for local access of trusted XML data but began being used in network-facing applications. The WebSocket module specifically uses this API to parse XML for session initialization before authentication, making it vulnerable to Billion Laughs Attacks that can cause excessive resource consumption (Prosody Advisory).

The vulnerability can lead to Denial of Service attacks through excessive resource consumption. Since Prosody doesn't yield control to other connections while processing a fully received WebSocket frame, this can result in a complete service disruption. It's important to note that normal XMPP connections and the BOSH interface are not affected by this vulnerability as they don't use the compromised internal API (Prosody Advisory).

The vulnerability was fixed in Prosody version 0.11.12 by restricting the available XML features in the internal XML API. For systems unable to upgrade immediately, a patch was provided that can be applied to any Prosody installation from the 0.11 series. Alternative workarounds include unloading the WebSocket module, though this approach doesn't protect against third-party modules that might use the vulnerable internal APIs (Prosody Advisory).