CVE-2024-39315
CVE-2024-39315 is a medium-severity vulnerability in Pomerium with a CVSS 3.x base score of 5.7. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-201.
Key facts
- Severity: Medium (CVSS 3.x base score 5.7)
- EPSS exploit prediction: 0% (33rd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2024-2413
- Weakness: CWE-201
- Affected product: Pomerium
- Published:
- Last modified:
Description
Pomerium is an identity and context-aware access proxy. Prior to version 0.26.1, the Pomerium user info page (at `/.pomerium`) unintentionally included serialized OAuth2 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users. This issue may be more severe in the presence of a cross-site scripting vulnerability in an upstream application proxied through Pomerium. If an attacker could insert a malicious script onto a web page proxied through Pomerium, that script could access these tokens by making a request to the `/.pomerium` endpoint. Upstream applications that authenticate only the ID token may be vulnerable to user impersonation using a token obtained in this manner. Note that an OAuth2 access token or ID token by itself is not sufficient to hijack a user's Pomerium session. Upstream applications should not be vulnerable to user impersonation via these tokens provided the application verifies the Pomerium JWT for each request, the connection between Pomerium and the application is secured by mTLS, or the connection between Pomerium and the application is otherwise secured at the network layer. The issue is patched in Pomerium v0.26.1. No known workarounds are available.
Frequently asked questions
- What is CVE-2024-39315?
- Pomerium is an identity and context-aware access proxy. Prior to version 0.26.1, the Pomerium user info page (at `/.pomerium`) unintentionally included serialized OAuth2 access and ID tokens from the logged-in user's session. These tokens are not intended to be exposed to end users. This issue may be more severe in the presence of a cross-site scripting vulnerability in an upstream application proxied through Pomerium. If an attacker could insert a malicious script onto a web page proxied through Pomerium, that script could access these tokens by making a request to the `/.pomerium` endpoint. Upstream applications that authenticate only the ID token may be vulnerable to user impersonation using a token obtained in this manner. Note that an OAuth2 access token or ID token by itself is not sufficient to hijack a user's Pomerium session. Upstream applications should not be vulnerable to user impersonation via these tokens provided the application verifies the Pomerium JWT for each request, the connection between Pomerium and the application is secured by mTLS, or the connection between Pomerium and the application is otherwise secured at the network layer. The issue is patched in Pomerium v0.26.1. No known workarounds are available.
- How severe is CVE-2024-39315?
- CVE-2024-39315 has a CVSS 3.x base score of 5.7, rated medium severity. It is exploitable over network with low attack complexity, requires low privileges and user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2024-39315 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (33rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2024-39315?
- CVE-2024-39315 affects Pomerium. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2024-39315?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2024-39315 have an EU (EUVD) identifier?
- Yes. CVE-2024-39315 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2024-2413.
- When was CVE-2024-39315 published?
- CVE-2024-39315 was published on 2024-07-02 and last updated on 2026-06-17.
References
- https://github.com/pomerium/pomerium/commit/4c7c4320afb2ced70ba19b46de1ac4383f3daa48
- https://github.com/pomerium/pomerium/security/advisories/GHSA-rrqr-7w59-637v
Affected products (1)
- cpe:2.3:a:pomerium:pomerium:*:*:*:*:*:*:*:*
More vulnerabilities in Pomerium
- CVE-2023-33189 — Critical (CVSS 10.0): Pomerium is an identity and context-aware access proxy. With specially crafted requests, incorrect authorization…
- CVE-2021-39206 — High (CVSS 8.6): Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, contains two authorization…
- CVE-2021-39162 — High (CVSS 8.6): Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, can abnormally terminate if…
- CVE-2021-39204 — High (CVSS 7.5): Pomerium is an open source identity-aware access proxy. Envoy, which Pomerium is based on, incorrectly handles…
- CVE-2022-24797 — Medium (CVSS 6.5): Pomerium is an identity-aware access proxy. In distributed service mode, Pomerium's Authenticate service exposes pprof…
- CVE-2021-29652 — Medium (CVSS 6.1): Pomerium from version 0.10.0-0.13.3 has an Open Redirect in the user sign-in/out process
Other CWE-201 vulnerabilities
- CVE-2025-49408 — Critical (CVSS 10.0): Insertion of Sensitive Information Into Sent Data vulnerability in WPDeveloper Templately allows Retrieve Embedded…
- CVE-2024-7205 — Critical (CVSS 9.4): When the device is shared, the homepage module are before 2.19.0 in eWeLink Cloud Service allows Secondary user to…
- CVE-2026-39912 — Critical (CVSS 9.1): V2Board 1.6.1 through 1.7.4 and Xboard through 0.1.9 expose authentication tokens in HTTP response bodies of the…
- CVE-2025-48749 — Critical (CVSS 9.1): Netwrix Directory Manager (formerly Imanami GroupID) v11.0.0.0 and before & after v.11.1.25134.03 inserts Sensitive…
- CVE-2025-11500 — High (CVSS 8.7): Tinycontrol devices such as tcPDU and LAN Controllers LK3.5, LK3.9 and LK4 have two separate authentication…
- CVE-2025-48045 — High (CVSS 8.7): An unauthenticated HTTP GET request to the /client.php endpoint will disclose the default administrator user…