
PEACH
Un cadre d’isolation des locataires
CVE-2026-50285 is a pre-authentication memory exhaustion vulnerability in Pomerium, an identity-aware proxy, caused by unbounded zstd decompression in the HPKE V2 callback path. It affects Pomerium versions >= 0.32.6 and < 0.32.8 (Go module github.com/pomerium/pomerium). The vulnerability was originally published on June 4, 2026, and added to the GitHub Advisory Database on July 15, 2026. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, Pomerium Advisory).
The root cause is uncontrolled resource consumption (CWE-400) combined with improper validation of input quantity (CWE-1284) in pkg/hpke/url.go. The decodeQueryStringV2 function calls zstdDecoder.DecodeAll(raw, nil) with no output size cap — zstd.WithDecoderLowmem(true) only reduces the decoder's own footprint, not the decompressed output size. Because Pomerium's HPKE receiver public key is publicly served at /.well-known/pomerium/hpke-public-key, an attacker can generate their own sender key pair, encrypt a zstd decompression bomb (e.g., ~19 KB compressing to 128 MiB), and deliver it to the unauthenticated /.pomerium/callback endpoint. The HPKE Open call succeeds because it only verifies consistency between the attacker-supplied sender public key and the sealed payload — sender identity validation (validateSenderPublicKey) occurs after decompression completes, meaning the memory spike is unconditional. Only stateless/hosted authenticate deployments (Pomerium Zero) are affected; self-hosted stateful deployments verify an HMAC-SHA256 signature before any decryption or decompression (GitHub Advisory).
Successful exploitation causes a pre-authentication denial of service against the Pomerium proxy process. Each malicious HTTP request (~20–40 KB payload) can force the server to allocate hundreds of megabytes of memory; concurrent or repeated requests can exhaust all available process memory and crash the proxy. A crash blocks all user access to every application protected by the affected Pomerium deployment. There is no confidentiality or integrity impact — the vulnerability is purely an availability issue confined to the proxy process itself (Pomerium Advisory).
https://TARGET_HOSTNAME/.well-known/pomerium/hpke-public-key to obtain Pomerium's 32-byte HPKE public key — no credentials required.github.com/pomerium/pomerium/pkg/hpke package, call hpke.GeneratePrivateKey() to create a fresh ephemeral key pair."x=" + strings.Repeat("A", 128*1024*1024)) and compress it with zstd, producing a ~19 KB compressed blob that expands to ~128 MiB.hpke.Seal(attackerPriv, receiverPub, compressed) to encrypt the bomb using the attacker's private key and the server's public key. The HPKE Open call on the server will succeed because it only checks consistency between the supplied sender public key and the sealed ciphertext.https://TARGET_HOSTNAME/.pomerium/callback/?k=<attacker_pubkey>&q=<base64_sealed_bomb>. The server decompresses the payload unconditionally before rejecting the attacker's identity./.pomerium/callback/ with query parameters k (base64-encoded 32-byte key) and q (large base64-encoded blob) from one or more source IPs; requests with unusually large q parameter values (~20–40 KB encoded)./.pomerium/callback with large query strings and subsequent validateSenderPublicKey rejection errors; Go runtime out-of-memory (OOM) errors or process crash logs./.well-known/pomerium/hpke-public-key from the same source IP, indicating reconnaissance to retrieve the public key before the attack (GitHub Advisory).Upgrade to Pomerium v0.32.8, which fixes the vulnerability by adding zstd.WithDecoderMaxMemory(4*1024*1024) to the zstd decoder initialization in pkg/hpke/url.go, capping decompressed output at 4 MiB. The patch was released on June 4, 2026 (commit 593eb81). Self-hosted deployments using the stateful authentication flow are not affected and do not require immediate action. As a secondary mitigation (not a substitute for patching), network-level controls can restrict access to /.pomerium/callback from untrusted sources, though this may interfere with legitimate OAuth flows (Pomerium Release, Patch Commit).
The vulnerability was discovered and reported by bugbunny.ai and was published by Pomerium maintainer calebdoxsey on June 4, 2026. The advisory was added to the GitHub Advisory Database on July 15, 2026. No significant broader media coverage or notable community commentary beyond the official advisory has been identified at this time (GitHub Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."