Medium severity5.9NVD Advisory· Published Feb 9, 2017· Updated May 13, 2026
CVE-2017-5591
CVE-2017-5591
Description
An incorrect implementation of "XEP-0280: Message Carbons" in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display. This allows for various kinds of social engineering attacks. This CVE is for SleekXMPP up to 1.3.1 and Slixmpp all versions up to 1.2.3, as bundled in poezio (0.8 - 0.10) and other products.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
slixmppPyPI | < 1.2.4 | 1.2.4 |
SleekXMPPPyPI | < 1.3.2 | 1.3.2 |
Affected products
6Patches
2285495d5ee24Merge pull request #448 from fritzy/v1.3.2
2 files changed · +6 −4
sleekxmpp/plugins/xep_0280/carbons.py+4 −2 modified@@ -61,10 +61,12 @@ def session_bind(self, jid): self.xmpp.plugin['xep_0030'].add_feature('urn:xmpp:carbons:2') def _handle_carbon_received(self, msg): - self.xmpp.event('carbon_received', msg) + if msg['from'].bare == self.xmpp.boundjid.bare: + self.xmpp.event('carbon_received', msg) def _handle_carbon_sent(self, msg): - self.xmpp.event('carbon_sent', msg) + if msg['from'].bare == self.xmpp.boundjid.bare: + self.xmpp.event('carbon_sent', msg) def enable(self, ifrom=None, block=True, timeout=None, callback=None): iq = self.xmpp.Iq()
sleekxmpp/version.py+2 −2 modified@@ -9,5 +9,5 @@ # We don't want to have to import the entire library # just to get the version info for setup.py -__version__ = '1.4.0' -__version_info__ = (1, 4, 0, '', 0) +__version__ = '1.3.2' +__version_info__ = (1, 3, 2, '', 0)
1 file changed · +4 −2
slixmpp/plugins/xep_0280/carbons.py+4 −2 modified@@ -61,10 +61,12 @@ def session_bind(self, jid): self.xmpp.plugin['xep_0030'].add_feature('urn:xmpp:carbons:2') def _handle_carbon_received(self, msg): - self.xmpp.event('carbon_received', msg) + if msg['from'].bare == self.xmpp.boundjid.bare: + self.xmpp.event('carbon_received', msg) def _handle_carbon_sent(self, msg): - self.xmpp.event('carbon_sent', msg) + if msg['from'].bare == self.xmpp.boundjid.bare: + self.xmpp.event('carbon_sent', msg) def enable(self, ifrom=None, timeout=None, callback=None, timeout_callback=None):
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
15- github.com/poezio/slixmpp/commit/22664ee7b86c8e010f312b66d12590fb47160ad8nvdPatchWEB
- openwall.com/lists/oss-security/2017/02/09/29nvdExploitMailing ListThird Party AdvisoryWEB
- rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbons/nvdExploitTechnical DescriptionThird Party Advisory
- rt-solutions.de/wp-content/uploads/2017/02/CVE-2017-5589_xmpp_carbons.pdfnvdExploitTechnical DescriptionThird Party AdvisoryWEB
- www.securityfocus.com/bid/96166nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-c35g-jr5f-h83pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-5591ghsaADVISORY
- github.com/fritzy/SleekXMPP/commit/285495d5ee2427d93d961ceedcd1829383e5196dghsaWEB
- github.com/fritzy/SleekXMPP/issues/442ghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/sleekxmpp/PYSEC-2017-103.yamlghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/slixmpp/PYSEC-2017-104.yamlghsaWEB
- pypi.org/project/sleekxmppghsaWEB
- pypi.org/project/slixmppghsaWEB
- rt-solutions.de/en/2017/02/CVE-2017-5589_xmpp_carbonsghsaWEB
- web.archive.org/web/20200227192025/http://www.securityfocus.com/bid/96166ghsaWEB
News mentions
0No linked articles in our index yet.