CVE-2022-45197
Description
Slixmpp before 1.8.3 lacks SSL certificate hostname validation, enabling man-in-the-middle attacks against XMPP connections.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Slixmpp before 1.8.3 lacks SSL certificate hostname validation, enabling man-in-the-middle attacks against XMPP connections.
Vulnerability
Description
CVE-2022-45197 is a security flaw in Slixmpp, an XMPP library for Python, affecting versions prior to 1.8.3. The vulnerability stems from the library's failure to validate SSL/TLS certificate hostnames in the XMLStream class [1]. This means that when a Slixmpp client establishes an encrypted connection to an XMPP server, it does not check whether the certificate presented actually matches the hostname of the server being contacted.
Attack
Vector
An attacker with a privileged network position (such as on a shared Wi-Fi network or within an ISP) can perform a man-in-the-middle (MITM) attack. By intercepting the TLS handshake and presenting a valid certificate for a different domain, the attacker can successfully impersonate any XMPP server to the Slixmpp client. No authentication bypass is needed beyond network interception; the client's missing hostname check means it will trust the fraudulent certificate [1][4].
Impact
Successful exploitation allows the attacker to decrypt, read, and modify all XMPP traffic between the client and the intended server. This includes direct messages, presence information, and roster data. The attack completely undermines the confidentiality and integrity of communications, enabling credential theft, message forgery, and session hijacking [1][4].
Mitigation
The vulnerability is fixed in Slixmpp version 1.8.3 [1][2]. Users and developers should upgrade to this release or later. As of the advisory publication, no workarounds have been provided, and users on older versions are advised to update immediately. The flaw has been recorded in the PyPA advisory database (PYSEC-2022-43013) [4].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
slixmppPyPI | < 1.8.3 | 1.8.3 |
Affected products
7- Slixmpp/Slixmppdescription
- ghsa-coords6 versionspkg:pypi/slixmpppkg:rpm/opensuse/python-slixmpp&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/python-slixmpp&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/python-slixmpp&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-slixmpp&distro=SUSE%20Package%20Hub%2015%20SP3pkg:rpm/suse/python-slixmpp&distro=SUSE%20Package%20Hub%2015%20SP4
< 1.8.3+ 5 more
- (no CPE)range: < 1.8.3
- (no CPE)range: < 1.4.2-bp153.2.3.1
- (no CPE)range: < 1.4.2-bp154.2.3.1
- (no CPE)range: < 1.8.6-1.1
- (no CPE)range: < 1.4.2-bp153.2.3.1
- (no CPE)range: < 1.4.2-bp154.2.3.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-q6cq-m9gm-6q2fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-45197ghsaADVISORY
- security.gentoo.org/glsa/202305-07ghsavendor-advisoryWEB
- github.com/poezio/slixmpp/commits/master/slixmpp/xmlstream/xmlstream.pyghsaWEB
- github.com/poezio/slixmpp/tagsghsaWEB
- github.com/pypa/advisory-database/tree/main/vulns/slixmpp/PYSEC-2022-43013.yamlghsaWEB
- lab.louiz.org/poezio/slixmpp/-/commit/b60b1b985db928532f97c4f61d6fbc801f0aa7faghsaWEB
- lab.louiz.org/poezio/slixmpp/-/commits/masterghsaWEB
News mentions
0No linked articles in our index yet.