{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/pomerium--0.32.6--0.32.8/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Pomerium (\u003e= 0.32.6, \u003c 0.32.8)","Pomerium Zero"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","network","vulnerability","go"],"_cs_type":"advisory","_cs_vendors":["Pomerium"],"content_html":"\u003cp\u003ePomerium deployments configured for stateless authentication flows (Pomerium Zero or hosted \u003ccode\u003eauthenticate.pomerium.app\u003c/code\u003e) are susceptible to a pre-authentication denial of service (DoS) due to unbounded zstd decompression, tracked as CVE-2026-50285. An attacker can leverage the publicly available HPKE receiver public key to craft a malicious payload that, when delivered to the \u003ccode\u003e/.pomerium/callback\u003c/code\u003e endpoint, causes the Pomerium proxy to allocate excessive amounts of memory. This vulnerability in \u003ccode\u003epkg/hpke/url.go\u003c/code\u003e allows a small (~20-40 KB) compressed input to expand into hundreds of megabytes of uncompressed data, exhausting proxy resources before sender identity validation can occur. This issue impacts Pomerium versions 0.32.6 up to, but not including, 0.32.8 and presents a significant availability risk to organizations relying on Pomerium for application access control.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a Pomerium proxy deployment utilizing the stateless authentication flow.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves the Pomerium proxy's public HPKE receiver key by sending an HTTP GET request to the publicly accessible \u003ccode\u003e/.well-known/pomerium/hpke-public-key\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe attacker generates their own ephemeral HPKE sender key pair to encrypt the malicious payload.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a zstd \u0026quot;decompression bomb\u0026quot; payload, designed to be small when compressed but expand into a very large amount of data upon decompression (e.g., 19 KB compressed to 128 MiB uncompressed).\u003c/li\u003e\n\u003cli\u003eThe attacker uses their generated sender private key and Pomerium's retrieved receiver public key to encrypt (seal) the decompression bomb payload.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP GET request to the pre-authenticated \u003ccode\u003e/.pomerium/callback\u003c/code\u003e endpoint on the Pomerium proxy, including the encrypted decompression bomb as a query parameter (e.g., \u003ccode\u003eq\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe Pomerium proxy receives the request and, before validating the sender's identity, proceeds to decrypt and decompress the payload using \u003ccode\u003ehpke.DecryptURLValues\u003c/code\u003e and \u003ccode\u003edecodeQueryStringV2\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to the lack of an output size limit in \u003ccode\u003edecodeQueryStringV2\u003c/code\u003e, the decompression of the malicious payload consumes a disproportionate amount of server memory, leading to process degradation, unresponsiveness, or a crash, resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability enables a pre-authentication denial of service (DoS) against any Pomerium proxy using the hosted/stateless authenticate flow (Pomerium Zero or \u003ccode\u003eauthenticate.pomerium.app\u003c/code\u003e). An attacker with network reachability to the proxy's HTTPS port can allocate hundreds of megabytes of server memory per HTTP request by sending a small (approximately 20 - 40 KB) malicious payload. Sustained attacks with concurrent requests can quickly exhaust available memory, leading to the crash of the proxy process and effectively blocking all user access to every application protected by that Pomerium deployment. No credentials, session cookies, or insider access are required for this attack.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Pomerium to version 0.32.8 or later immediately to address CVE-2026-50285.\u003c/li\u003e\n\u003cli\u003eMonitor the memory usage of Pomerium proxy processes for sudden spikes or sustained high consumption, which could indicate a decompression bomb attack.\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not possible, consider implementing network-level rate limiting or Web Application Firewall (WAF) rules to restrict repeated requests to the \u003ccode\u003e/.pomerium/callback\u003c/code\u003e endpoint from suspicious IP addresses, referencing the IOCs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-15T23:08:59Z","date_published":"2026-07-15T23:08:59Z","id":"https://feed.craftedsignal.io/briefs/2026-07-pomerium-dos/","summary":"Pomerium proxy deployments using the stateless authentication flow (Pomerium Zero or hosted authenticate) are vulnerable to a pre-authentication memory exhaustion denial of service, allowing an unauthenticated attacker to send specially crafted HPKE-encrypted zstd payloads to the `/.pomerium/callback` endpoint, leading to excessive memory allocation and potential proxy crashes.","title":"Pomerium Pre-Auth Memory Exhaustion via Unbounded zstd Decompression","url":"https://feed.craftedsignal.io/briefs/2026-07-pomerium-dos/"}],"language":"en","title":"CraftedSignal Threat Feed - Pomerium (\u003e= 0.32.6, \u003c 0.32.8)","version":"https://jsonfeed.org/version/1.1"}