Vendor
Pomerium proxy deployments using the stateless authentication flow (Pomerium Zero or hosted authenticate) are vulnerable to a pre-authentication memory exhaustion denial of service, allowing an unauthenticated attacker to send specially crafted HPKE-encrypted zstd payloads to the `/.pomerium/callback` endpoint, leading to excessive memory allocation and potential proxy crashes.