PatchSiren

PatchSiren cyber security CVE debrief

CVE-2017-5592 Profanity Project CVE debrief

CVE-2017-5592 affects Profanity 0.4.7 through 0.5.0 and stems from an incorrect implementation of XEP-0280 Message Carbons. The practical risk is display impersonation: a remote attacker may be shown as another user, including a contact, which can enable social-engineering abuse and trust manipulation.

Vendor
Profanity Project
Product
CVE-2017-5592
CVSS
MEDIUM 5.9
CISA KEV
Not listed in stored evidence
Original CVE published
2017-02-09
Original CVE updated
2026-05-13
Advisory published
2017-02-09
Advisory updated
2026-05-13

Who should care

Anyone operating or relying on Profanity 0.4.7-0.5.0 clients, especially users who treat chat identity as a trusted signal for approvals, requests, or workflow decisions. Security teams should care if the client is used in environments where spoofed UI messages could mislead users.

Technical summary

NVD describes an incorrect implementation of XEP-0280: Message Carbons in Profanity that allows a remote attacker to impersonate any user in the vulnerable application's display. The NVD record lists affected Profanity versions 0.4.7 and 0.5.0 (including the cited build variants), and assigns CVSS 3.1 vector AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N (5.9, Medium). NVD also maps the issue to CWE-20 and CWE-346. A patch commit is referenced in the source corpus.

Defensive priority

Medium; patch promptly for any exposed or actively used Profanity 0.4.7-0.5.0 deployment because the issue can undermine message trust and enable social engineering, even though the CVSS score is not high.

Recommended defensive actions

  • Update Profanity to a version that includes the referenced fix commit or later.
  • Review any workflows that rely on chat identity as a trusted approval or verification signal.
  • Warn users that sender appearance alone should not be treated as proof of identity in affected environments.
  • If immediate upgrading is not possible, limit reliance on message-origin cues and increase out-of-band verification for sensitive requests.
  • Track NVD and vendor references for remediation details tied to the referenced patch commit.

Evidence notes

Source data states: 'An incorrect implementation of XEP-0280: Message Carbons in multiple XMPP clients allows a remote attacker to impersonate any user, including contacts, in the vulnerable application's display.' The NVD CVSS vector is AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N (5.9). The NVD CPEs mark Profanity 0.4.7 and 0.5.0 as vulnerable, and the record lists CWE-20 and CWE-346. References in the corpus include the vendor patch commit, an Openwall mailing-list item, and third-party technical analysis. Published 2017-02-09; NVD modified 2026-05-13.

Official resources

CVE-2017-5592 was published on 2017-02-09 and later modified in NVD on 2026-05-13. The supplied source corpus ties the issue to Profanity 0.4.7-0.5.0 and cites a patch commit plus third-party technical references.