Security Issue: Uncontrolled Resource Consumption with XMPP-Layer Compression h-highly-compressed-xmpp-stanzas/

Any insight how to mitigate this issue on older servers? Reportedly, Openfire 3.9.2 resolves this issue, but it doesn’t appear to be downloadable to the public.

It’s also reportedly recommended to disable XMPP Compression. I found the xmpp.client.compression.policy setting (, but I don’t know if this is a solution or not. It’s not a property by default in our System Properties, and I figured I’d ask before tinkering.

Thank you,


This commit is in reference to this CVE fe946766bbd3758af77

Unsure when we’ll get a new release pushed out.

You can either open

Server / Server Manager / System Properties and set there:

‘xmpp.client.compression.policy’ = ‘disabled’

‘xmpp.server.compression.policy’ = ‘disabled’

Or use the more easy way:

Server / Server Settings / Compression Settings

Client Compression Policy

[x] Not Available - Clients will not receive the option to use compressed traffic.

Openfire 3.9.2 is indeed not yet available.

Thank you both!


OF-770 created to tie up the loose end on this