GHSA-ggw3-5987-rx77: Pomerium Pre-Auth Memory Exhaustion via Unbounded zstd Decompression in HPKE Callback
Summary
Pomerium's authentication callback endpoint allows unauthenticated attackers to send specially crafted encrypted messages that trigger unbounded decompression of zstd-compressed data (a compression algorithm), causing the proxy to allocate unlimited memory and crash. The vulnerability exists because the code decompresses attacker-controlled data before validating who sent it, and unlike other parts of Pomerium's code, it doesn't limit how much memory the decompression can use.
Solution / Mitigation
The source text does not explicitly describe a fix, patch, or version update. It documents the vulnerability and its root causes but does not state how to remediate it. N/A -- no mitigation discussed in source.
Vulnerability Details
EPSS: 0.0%
Yes
July 15, 2026
Classification
Affected Packages
Original source: https://github.com/advisories/GHSA-ggw3-5987-rx77
First tracked: July 15, 2026 at 08:01 PM
Classified by LLM (prompt v3) · confidence: 95%