Threat Advisory

Pomerium Flaw Lets Attackers Crash Proxy with Unbounded zstd Decompression

Threat: Vulnerability
Targeted Region: Global
Targeted Sector: Technology & IT
Criticality: High
[subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-50285 is a high-severity vulnerability affecting gomod versions >= 0.32.6, < 0.32.8 affecting gomod versions >= 0 in the Pomerium proxy process, allowing an attacker to cause unbounded memory allocation and crash the proxy via the pre-auth callback endpoint. The HPKE V2 URL decode path decompresses attacker-controlled zstd data without any size limit, leading to a denial-of-service against any Pomerium proxy using the hosted/stateless authenticate flow. An attacker can reach the proxy, allocate hundreds of megabytes of server memory per HTTP request by sending a ~20–40 KB payload, and sustain an attack with concurrent requests to exhaust available memory and crash the proxy process blocking all user access to every application protected by that Pomerium deployment. No credentials, session cookies, or insider access are required for this attack. The vulnerability has a CVSS score of 7.5 and is classified as CWE-400 (Uncontrolled Resource Consumption) and CWE-1284 (Improper Validation of Specified Quantity in Input).

RECOMMENDATION:

We recommend you to update gomod to version 0.32.8.[/subscribe_to_unlock_form]

EXECUTIVE SUMMARY:

CVE-2026-50285 is a high-severity vulnerability affecting gomod versions >= 0.32.6, < 0.32.8 affecting gomod versions >= 0 in the Pomerium proxy process, allowing an attacker to cause unbounded memory allocation and crash the proxy via the pre-auth callback endpoint. The HPKE V2 URL decode path decompresses attacker-controlled zstd data without any size limit, leading to a denial-of-service against any Pomerium proxy using the hosted/stateless authenticate flow. An attacker can reach the proxy, allocate hundreds of megabytes of server memory per HTTP request by sending a ~20–40 KB payload, and sustain an attack with concurrent requests to exhaust available memory and crash the proxy process blocking all user access to every application protected by that Pomerium deployment. No credentials, session cookies, or insider access are required for this attack. The vulnerability has a CVSS score of 7.5 and is classified as CWE-400 (Uncontrolled Resource Consumption) and CWE-1284 (Improper Validation of Specified Quantity in Input).

RECOMMENDATION:

We recommend you to update gomod to version 0.32.8.[emaillocker id="1283"]

REFERENCES:

The following reports contain further technical details:

[/emaillocker]
crossmenu