<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Pomerium Zero - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/pomerium-zero/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 15 Jul 2026 23:08:59 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/pomerium-zero/feed.xml" rel="self" type="application/rss+xml"/><item><title>Pomerium Pre-Auth Memory Exhaustion via Unbounded zstd Decompression</title><link>https://feed.craftedsignal.io/briefs/2026-07-pomerium-dos/</link><pubDate>Wed, 15 Jul 2026 23:08:59 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-pomerium-dos/</guid><description>Pomerium proxy deployments using the stateless authentication flow (Pomerium Zero or hosted authenticate) are vulnerable to a pre-authentication memory exhaustion denial of service, allowing an unauthenticated attacker to send specially crafted HPKE-encrypted zstd payloads to the `/.pomerium/callback` endpoint, leading to excessive memory allocation and potential proxy crashes.</description><content:encoded><![CDATA[<p>Pomerium deployments configured for stateless authentication flows (Pomerium Zero or hosted <code>authenticate.pomerium.app</code>) are susceptible to a pre-authentication denial of service (DoS) due to unbounded zstd decompression, tracked as CVE-2026-50285. An attacker can leverage the publicly available HPKE receiver public key to craft a malicious payload that, when delivered to the <code>/.pomerium/callback</code> endpoint, causes the Pomerium proxy to allocate excessive amounts of memory. This vulnerability in <code>pkg/hpke/url.go</code> allows a small (~20-40 KB) compressed input to expand into hundreds of megabytes of uncompressed data, exhausting proxy resources before sender identity validation can occur. This issue impacts Pomerium versions 0.32.6 up to, but not including, 0.32.8 and presents a significant availability risk to organizations relying on Pomerium for application access control.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An unauthenticated attacker identifies a Pomerium proxy deployment utilizing the stateless authentication flow.</li>
<li>The attacker retrieves the Pomerium proxy's public HPKE receiver key by sending an HTTP GET request to the publicly accessible <code>/.well-known/pomerium/hpke-public-key</code> endpoint.</li>
<li>The attacker generates their own ephemeral HPKE sender key pair to encrypt the malicious payload.</li>
<li>The attacker crafts a zstd &quot;decompression bomb&quot; payload, designed to be small when compressed but expand into a very large amount of data upon decompression (e.g., 19 KB compressed to 128 MiB uncompressed).</li>
<li>The attacker uses their generated sender private key and Pomerium's retrieved receiver public key to encrypt (seal) the decompression bomb payload.</li>
<li>The attacker sends an HTTP GET request to the pre-authenticated <code>/.pomerium/callback</code> endpoint on the Pomerium proxy, including the encrypted decompression bomb as a query parameter (e.g., <code>q</code>).</li>
<li>The Pomerium proxy receives the request and, before validating the sender's identity, proceeds to decrypt and decompress the payload using <code>hpke.DecryptURLValues</code> and <code>decodeQueryStringV2</code>.</li>
<li>Due to the lack of an output size limit in <code>decodeQueryStringV2</code>, the decompression of the malicious payload consumes a disproportionate amount of server memory, leading to process degradation, unresponsiveness, or a crash, resulting in a denial of service.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability enables a pre-authentication denial of service (DoS) against any Pomerium proxy using the hosted/stateless authenticate flow (Pomerium Zero or <code>authenticate.pomerium.app</code>). An attacker with network reachability to the proxy's HTTPS port can allocate hundreds of megabytes of server memory per HTTP request by sending a small (approximately 20 - 40 KB) malicious payload. Sustained attacks with concurrent requests can quickly exhaust available memory, leading to the crash of the proxy process and effectively blocking all user access to every application protected by that Pomerium deployment. No credentials, session cookies, or insider access are required for this attack.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Upgrade Pomerium to version 0.32.8 or later immediately to address CVE-2026-50285.</li>
<li>Monitor the memory usage of Pomerium proxy processes for sudden spikes or sustained high consumption, which could indicate a decompression bomb attack.</li>
<li>If immediate patching is not possible, consider implementing network-level rate limiting or Web Application Firewall (WAF) rules to restrict repeated requests to the <code>/.pomerium/callback</code> endpoint from suspicious IP addresses, referencing the IOCs.</li>
</ul>
]]></content:encoded><category domain="severity">medium</category><category domain="type">advisory</category><category>denial-of-service</category><category>network</category><category>vulnerability</category><category>go</category></item></channel></rss>