CVE-2024-43201

EUVD-2024-40102
The Planet Fitness Workouts iOS and Android mobile apps fail to properly validate TLS certificates, allowing an attacker with appropriate network access to obtain session tokens and sensitive information. Planet Fitness first addressed this vulnerability in version 9.8.12 (released on 2024-07-25) and more recently in version 9.9.13 (released on 2025-02-11).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
ADJACENT_NETWORK
LOW
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cisa-cgCNA
8.8 HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 32%
Affected Products (NVD)
VendorProductVersion
planetfitnessplanet_fitness_workouts
𝑥
< 9.8.12
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://apps.apple.com/us/app/planet-fitness-workouts/id399857015
https://dontvacuum.me/bugs/pf/